Hello community, here is the log from the commit of package librelp for openSUSE:Factory checked in at 2020-03-03 10:14:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/librelp (Old) and /work/SRC/openSUSE:Factory/.librelp.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "librelp" Tue Mar 3 10:14:44 2020 rev:37 rq:780644 version:1.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/librelp/librelp.changes 2019-03-14 14:52:32.599786385 +0100 +++ /work/SRC/openSUSE:Factory/.librelp.new.26092/librelp.changes 2020-03-03 10:14:51.474478751 +0100 @@ -1,0 +2,6 @@ +Tue Feb 25 19:49:40 UTC 2020 - Andreas Stieger <[email protected]> + +- librelp 1.5.0: + * Fix librelp engine long shutdown issues + +------------------------------------------------------------------- Old: ---- librelp-1.4.0.tar.gz New: ---- librelp-1.5.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ librelp.spec ++++++ --- /var/tmp/diff_new_pack.um9y3p/_old 2020-03-03 10:14:52.806481507 +0100 +++ /var/tmp/diff_new_pack.um9y3p/_new 2020-03-03 10:14:52.810481515 +0100 @@ -1,7 +1,7 @@ # # spec file for package librelp # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define library_name librelp0 Name: librelp -Version: 1.4.0 +Version: 1.5.0 Release: 0 Summary: A reliable logging library License: GPL-3.0-or-later ++++++ librelp-1.4.0.tar.gz -> librelp-1.5.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/ChangeLog new/librelp-1.5.0/ChangeLog --- old/librelp-1.4.0/ChangeLog 2019-03-04 10:19:09.000000000 +0100 +++ new/librelp-1.5.0/ChangeLog 2020-01-14 10:22:50.000000000 +0100 @@ -1,4 +1,34 @@ ---------------------------------------------------------------------- +Version 1.5.0 - 2020-01-14 +- bugfix: too late termination of relp Engine on shutdown + When librelp is instructed to shutdown, it processes messages + still present inside its receive buffers. It only terminates + when it needs to wait for new data to arrive. + Depending on RELP and TCP window size and message length, + this may cause many messages to be processed while in shutdown. + Even with default settings, up to 128 messages may be taken off + the wire and be processed. + This is a problem regarding the shutdown timing of a librelp + user (e.g. rsyslog). It may take unexpectedly long to shutdown + the RELP component and as such timeout may occur in the caller + code. This is especially the case if the caller does lengthy + processing when a RELP message is received. Note: It is + perfectly fine for a caller to do this. The problem is that + librelp continues to provide new data for a relatively long + and unexpected period. + This fix ensure that the relp engine shuts down much quicker + when shutdown is requested. It now also checks the shutdown + request while processing already received buffer data. + This problem was detected when working on + see also https://github.com/rsyslog/rsyslog/issues/3941 + closes https://github.com/rsyslog/librelp/issues/175 +- build system fix: invalid default in configure help text + closes https://github.com/rsyslog/librelp/issues/169 +- error message on invalid TLS library request added + This way an invalid TLS library (name) can be detected and the + error presented to the user. So far, invalid library names were + hard to find. +---------------------------------------------------------------------- Version 1.4.0 - 2019-03-05 NOTE TO PACKAGERS: Both openssl and GnuTLS are now enabled by default. This is to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/Makefile.in new/librelp-1.5.0/Makefile.in --- old/librelp-1.4.0/Makefile.in 2019-03-04 10:19:19.000000000 +0100 +++ new/librelp-1.5.0/Makefile.in 2020-01-14 10:23:28.000000000 +0100 @@ -192,8 +192,8 @@ DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/relp.pc.in AUTHORS COPYING ChangeLog INSTALL NEWS \ - README compile config.guess config.sub depcomp install-sh \ - ltmain.sh missing + README compile config.guess config.sub install-sh ltmain.sh \ + missing DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/configure new/librelp-1.5.0/configure --- old/librelp-1.4.0/configure 2019-03-04 10:19:19.000000000 +0100 +++ new/librelp-1.5.0/configure 2020-01-14 10:23:27.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for librelp 1.4.0. +# Generated by GNU Autoconf 2.69 for librelp 1.5.0. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='librelp' PACKAGE_TARNAME='librelp' -PACKAGE_VERSION='1.4.0' -PACKAGE_STRING='librelp 1.4.0' +PACKAGE_VERSION='1.5.0' +PACKAGE_STRING='librelp 1.5.0' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1368,7 +1368,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures librelp 1.4.0 to adapt to many kinds of systems. +\`configure' configures librelp 1.5.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1439,7 +1439,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of librelp 1.4.0:";; + short | recursive ) echo "Configuration of librelp 1.5.0:";; esac cat <<\_ACEOF @@ -1461,7 +1461,7 @@ --enable-compile-warnings=[no/yes/error] Enable compiler warnings and errors --disable-Werror Unconditionally make all compiler warnings non-fatal - --enable-tls Enable TLS support [default=no] + --enable-tls Enable TLS support [default=yes] --enable-tls-openssl Enable OpenSSL TLS support [default=yes] --enable-debug Enable debug mode [default=no] --enable-valgrind Enable valgrind tests[default=yes] @@ -1568,7 +1568,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -librelp configure 1.4.0 +librelp configure 1.5.0 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2094,7 +2094,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by librelp $as_me 1.4.0, which was +It was created by librelp $as_me 1.5.0, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2960,7 +2960,7 @@ # Define the identity of the package. PACKAGE='librelp' - VERSION='1.4.0' + VERSION='1.5.0' cat >>confdefs.h <<_ACEOF @@ -15321,7 +15321,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by librelp $as_me 1.4.0, which was +This file was extended by librelp $as_me 1.5.0, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15387,7 +15387,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -librelp config.status 1.4.0 +librelp config.status 1.5.0 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/configure.ac new/librelp-1.5.0/configure.ac --- old/librelp-1.4.0/configure.ac 2019-03-04 10:19:09.000000000 +0100 +++ new/librelp-1.5.0/configure.ac 2020-01-14 10:22:59.000000000 +0100 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([librelp], [1.4.0], [[email protected]]) +AC_INIT([librelp], [1.5.0], [[email protected]]) # change to the one below if Travis has a timeout #AM_INIT_AUTOMAKE([subdir-objects serial-tests]) @@ -125,7 +125,7 @@ # enable TLS (may not be possible on platforms with too-old GnuTLS) AC_ARG_ENABLE(tls, - [AS_HELP_STRING([--enable-tls],[Enable TLS support @<:@default=no@:>@])], + [AS_HELP_STRING([--enable-tls],[Enable TLS support @<:@default=yes@:>@])], [case "${enableval}" in yes) enable_tls="yes" ;; no) enable_tls="no" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/librelp.h new/librelp-1.5.0/src/librelp.h --- old/librelp-1.4.0/src/librelp.h 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/librelp.h 2020-01-14 10:22:05.000000000 +0100 @@ -233,6 +233,8 @@ relpRetVal relpSrvSetGnuTLSPriString(relpSrv_t *pThis, char *pristr); relpRetVal relpSrvSetCACert(relpSrv_t *pThis, char *cert); relpRetVal relpSrvSetOwnCert(relpSrv_t *pThis, char *cert); +relpRetVal relpSrvSetTlsConfigCmd(relpSrv_t *pThis, char *cfgcmd); +relpRetVal relpSrvSetCACert(relpSrv_t *pThis, char *cert); relpRetVal relpSrvSetPrivKey(relpSrv_t *pThis, char *cert); relpRetVal relpSrvSetAuthMode(relpSrv_t *pThis, char *mode); relpRetVal relpSrvAddPermittedPeer(relpSrv_t *pThis, char *peer); @@ -252,6 +254,7 @@ relpRetVal relpCltSetCACert(relpClt_t *pThis, char *file); relpRetVal relpCltSetOwnCert(relpClt_t *pThis, char *file); relpRetVal relpCltSetPrivKey(relpClt_t *pThis, char *file); +relpRetVal relpCltSetTlsConfigCmd(relpClt_t *pThis, char *cfgcmd); relpRetVal relpCltSetAuthMode(relpClt_t *pThis, char *mode); relpRetVal relpCltAddPermittedPeer(relpClt_t *pThis, char *peer); relpRetVal relpCltSetUsrPtr(relpClt_t *pThis, void *pUsr); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relp.c new/librelp-1.5.0/src/relp.c --- old/librelp-1.4.0/src/relp.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/relp.c 2020-01-14 10:22:05.000000000 +0100 @@ -1,6 +1,6 @@ /* The RELP (reliable event logging protocol) core protocol library. * - * Copyright 2008-2018 by Rainer Gerhards and Adiscon GmbH. + * Copyright 2008-2019 by Rainer Gerhards and Adiscon GmbH. * * This file is part of librelp. * @@ -386,6 +386,9 @@ }else if(!strcasecmp(name, "openssl")) { relpEngineSetTLSLib(pThis, RELP_USE_OPENSSL); } else { + relpEngineCallOnGenericErr(pThis, "librelp", RELP_RET_PARAM_ERROR, + "invalid tls lib '%s' requested; this version of " + "librelp only supports 'gnutls', 'openssl'", name); ABORT_FINALIZE(RELP_RET_NOT_SUPPORTED); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpclt.c new/librelp-1.5.0/src/relpclt.c --- old/librelp-1.4.0/src/relpclt.c 2018-12-09 15:34:25.000000000 +0100 +++ new/librelp-1.5.0/src/relpclt.c 2020-01-14 10:22:05.000000000 +0100 @@ -66,6 +66,7 @@ pThis->caCertFile = NULL; pThis->ownCertFile = NULL; pThis->privKey = NULL; + pThis->tlsConfigCmd = NULL; pThis->permittedPeers.nmemb = 0; *ppThis = pThis; @@ -95,6 +96,7 @@ free(pThis->caCertFile); free(pThis->ownCertFile); free(pThis->privKey); + free(pThis->tlsConfigCmd); for(i = 0 ; i < pThis->permittedPeers.nmemb ; ++i) free(pThis->permittedPeers.name[i]); @@ -127,6 +129,7 @@ CHKRet(relpSessEnableTLSZip(pThis->pSess)); } CHKRet(relpSessSetGnuTLSPriString(pThis->pSess, pThis->pristring)); + CHKRet(relpSessSetTlsConfigCmd(pThis->pSess, pThis->tlsConfigCmd)); CHKRet(relpSessSetCACert(pThis->pSess, pThis->caCertFile)); CHKRet(relpSessSetOwnCert(pThis->pSess, pThis->ownCertFile)); CHKRet(relpSessSetPrivKey(pThis->pSess, pThis->privKey)); @@ -336,6 +339,22 @@ finalize_it: LEAVE_RELPFUNC; } +relpRetVal +relpCltSetTlsConfigCmd(relpClt_t *pThis, char *cfgcmd) +{ + ENTER_RELPFUNC; + RELPOBJ_assert(pThis, Clt); + free(pThis->tlsConfigCmd); + if(cfgcmd == NULL) { + pThis->tlsConfigCmd = NULL; + } else { + if((pThis->tlsConfigCmd = strdup(cfgcmd)) == NULL) + ABORT_FINALIZE(RELP_RET_OUT_OF_MEMORY); + } +finalize_it: + LEAVE_RELPFUNC; + +} /* Enable TLS mode. */ relpRetVal relpCltEnableTLS(relpClt_t *pThis) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpclt.h new/librelp-1.5.0/src/relpclt.h --- old/librelp-1.4.0/src/relpclt.h 2018-12-09 15:31:02.000000000 +0100 +++ new/librelp-1.5.0/src/relpclt.h 2020-01-14 10:22:05.000000000 +0100 @@ -49,6 +49,7 @@ char *caCertFile; char *ownCertFile; char *privKey; + char *tlsConfigCmd; /**< optional configuration command property for TLS libs **/ relpPermittedPeers_t permittedPeers; int protFamily; /**< protocol family to connect over (IPv4, v6, ...) */ unsigned char *port; /**< server port to connect to */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpsess.c new/librelp-1.5.0/src/relpsess.c --- old/librelp-1.4.0/src/relpsess.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/relpsess.c 2020-01-14 10:22:05.000000000 +0100 @@ -136,6 +136,7 @@ pThis->caCertFile = NULL; pThis->ownCertFile = NULL; pThis->privKeyFile = NULL; + pThis->tlsConfigCmd = NULL; pThis->permittedPeers.nmemb = 0; CHKRet(relpSendqConstruct(&pThis->pSendq, pThis->pEngine)); @@ -206,6 +207,7 @@ free(pThis->caCertFile); free(pThis->ownCertFile); free(pThis->privKeyFile); + free(pThis->tlsConfigCmd); relpSessFreePermittedPeers(pThis); pthread_mutex_destroy(&pThis->mutSend); @@ -291,6 +293,11 @@ /* we have regular data, which we now can process */ for(i = 0 ; i < lenBuf ; ++i) { + if(relpEngineShouldStop(pThis->pEngine)) { + pThis->pEngine->dbgprint("imrelp is instructed to shut down, thus " + "breaking session %p\n", (void*) pThis); + ABORT_FINALIZE(RELP_RET_SESSION_BROKEN); + } CHKRet(relpFrameProcessOctetRcvd(&pThis->pCurrRcvFrame, rcvBuf[i], pThis)); } } @@ -874,6 +881,7 @@ CHKRet(relpTcpEnableTLSZip(pThis->pTcp)); } CHKRet(relpTcpSetGnuTLSPriString(pThis->pTcp, pThis->pristring)); + CHKRet(relpTcpSetTlsConfigCmd(pThis->pTcp, pThis->tlsConfigCmd)); CHKRet(relpTcpSetCACert(pThis->pTcp, pThis->caCertFile)); CHKRet(relpTcpSetOwnCert(pThis->pTcp, pThis->ownCertFile)); CHKRet(relpTcpSetPrivKey(pThis->pTcp, pThis->privKeyFile)); @@ -1147,6 +1155,24 @@ LEAVE_RELPFUNC; } +relpRetVal +relpSessSetTlsConfigCmd(relpSess_t *pThis, char *cfgcmd) +{ + ENTER_RELPFUNC; + RELPOBJ_assert(pThis, Sess); + + free(pThis->tlsConfigCmd); + if(cfgcmd == NULL) { + pThis->tlsConfigCmd = NULL; + } else { + if((pThis->tlsConfigCmd = strdup(cfgcmd)) == NULL) + ABORT_FINALIZE(RELP_RET_OUT_OF_MEMORY); + } +finalize_it: + LEAVE_RELPFUNC; +} + + /* set the protocol version to be used by this session * rgerhards, 2008-03-25 */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpsess.h new/librelp-1.5.0/src/relpsess.h --- old/librelp-1.4.0/src/relpsess.h 2018-12-09 15:34:25.000000000 +0100 +++ new/librelp-1.5.0/src/relpsess.h 2020-01-14 10:22:05.000000000 +0100 @@ -91,6 +91,7 @@ char *caCertFile; char *ownCertFile; char *privKeyFile; + char *tlsConfigCmd; /**< optional configuration command property for TLS libs **/ relpAuthMode_t authmode; relpPermittedPeers_t permittedPeers; @@ -157,6 +158,7 @@ relpRetVal relpSessSetCACert(relpSess_t *pThis, char *cert); relpRetVal relpSessSetOwnCert(relpSess_t *pThis, char *cert); relpRetVal relpSessSetPrivKey(relpSess_t *pThis, char *cert); +relpRetVal relpSessSetTlsConfigCmd(relpSess_t *pThis, char *cfgcmd); relpRetVal relpSessConstructOffers(relpSess_t *pThis, relpOffers_t **ppOffers); relpRetVal relpSessSetPermittedPeers(relpSess_t *pThis, relpPermittedPeers_t *pPeers); relpRetVal relpSessSetUsrPtr(relpSess_t *pThis, void *pUsr); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpsrv.c new/librelp-1.5.0/src/relpsrv.c --- old/librelp-1.4.0/src/relpsrv.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/relpsrv.c 2020-01-14 10:22:05.000000000 +0100 @@ -68,6 +68,7 @@ pThis->caCertFile = NULL; pThis->ownCertFile = NULL; pThis->privKey = NULL; + pThis->tlsConfigCmd = NULL; pThis->permittedPeers.nmemb = 0; pThis->maxDataSize = RELP_DFLT_MAX_DATA_SIZE; pThis->oversizeMode = RELP_DFLT_OVERSIZE_MODE; @@ -101,6 +102,7 @@ free(pThis->caCertFile); free(pThis->ownCertFile); free(pThis->privKey); + free(pThis->tlsConfigCmd); for(i = 0 ; i < pThis->permittedPeers.nmemb ; ++i) free(pThis->permittedPeers.name[i]); /* done with de-init work, now free srv object itself */ @@ -326,6 +328,21 @@ LEAVE_RELPFUNC; } +relpRetVal +relpSrvSetTlsConfigCmd(relpSrv_t *pThis, char *cfgcmd) +{ + ENTER_RELPFUNC; + RELPOBJ_assert(pThis, Srv); + free(pThis->tlsConfigCmd); + if(cfgcmd == NULL) { + pThis->tlsConfigCmd = NULL; + } else { + if((pThis->tlsConfigCmd = strdup(cfgcmd)) == NULL) + ABORT_FINALIZE(RELP_RET_OUT_OF_MEMORY); + } +finalize_it: + LEAVE_RELPFUNC; +} void relpSrvSetDHBits(relpSrv_t *pThis, int bits) { @@ -397,6 +414,7 @@ } relpTcpSetDHBits(pTcp, pThis->dhBits); CHKRet(relpTcpSetGnuTLSPriString(pTcp, pThis->pristring)); + CHKRet(relpTcpSetTlsConfigCmd(pTcp, pThis->tlsConfigCmd)); CHKRet(relpTcpSetAuthMode(pTcp, pThis->authmode)); CHKRet(relpTcpSetCACert(pTcp, pThis->caCertFile)); CHKRet(relpTcpSetOwnCert(pTcp, pThis->ownCertFile)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/relpsrv.h new/librelp-1.5.0/src/relpsrv.h --- old/librelp-1.4.0/src/relpsrv.h 2018-12-09 15:31:02.000000000 +0100 +++ new/librelp-1.5.0/src/relpsrv.h 2020-01-14 10:22:05.000000000 +0100 @@ -60,6 +60,7 @@ char *caCertFile; char *ownCertFile; char *privKey; + char *tlsConfigCmd; /**< optional configuration command property for TLS libs **/ relpAuthMode_t authmode; relpPermittedPeers_t permittedPeers; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/tcp.c new/librelp-1.5.0/src/tcp.c --- old/librelp-1.4.0/src/tcp.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/tcp.c 2020-01-14 10:22:05.000000000 +0100 @@ -639,6 +639,7 @@ pThis->caCertFile = NULL; pThis->ownCertFile = NULL; pThis->privKeyFile = NULL; + pThis->tlsConfigCmd = NULL; pThis->pUsr = NULL; pThis->permittedPeers.nmemb = 0; pThis->permittedPeers.peer = NULL; @@ -769,6 +770,7 @@ free(pThis->caCertFile); free(pThis->ownCertFile); free(pThis->privKeyFile); + free(pThis->tlsConfigCmd); /* done with de-init work, now free tcp object itself */ free(pThis); @@ -1089,6 +1091,21 @@ LEAVE_RELPFUNC; } +relpRetVal +relpTcpSetTlsConfigCmd(relpTcp_t *const pThis, char *cfgcmd) +{ + ENTER_RELPFUNC; + RELPOBJ_assert(pThis, Tcp); + free(pThis->tlsConfigCmd); + if(cfgcmd == NULL) { + pThis->tlsConfigCmd = NULL; + } else { + if((pThis->tlsConfigCmd = strdup(cfgcmd)) == NULL) + ABORT_FINALIZE(RELP_RET_OUT_OF_MEMORY); + } +finalize_it: + LEAVE_RELPFUNC; +} /* Enable TLS mode. */ relpRetVal @@ -1549,6 +1566,103 @@ LEAVE_RELPFUNC; } +static relpRetVal +relpTcpSetSslConfCmd_ossl(relpTcp_t *const pThis, char *tlsConfigCmd) +{ + ENTER_RELPFUNC; + + /* Skip function if function is NULL tlsConfigCmd */ + if (tlsConfigCmd == NULL) { + pThis->pEngine->dbgprint("relpTcpSetSslConfCmd_ossl: tlsConfigCmd is NULL\n"); + LEAVE_RELPFUNC; + } else { + pThis->pEngine->dbgprint("relpTcpSetSslConfCmd_ossl: set to '%s'\n", tlsConfigCmd); + char errmsg[1424]; +#if OPENSSL_VERSION_NUMBER >= 0x10020000L + char *pCurrentPos; + char *pNextPos; + char *pszCmd; + char *pszValue; + int iConfErr; + + /* Set working pointer */ + pCurrentPos = tlsConfigCmd; + if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) { + // Create CTX Config Helper + SSL_CONF_CTX *cctx; + cctx = SSL_CONF_CTX_new(); + if (pThis->sslState == osslServer) { + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + } else { + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + } + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + + do + { + pNextPos = index(pCurrentPos, '='); + if (pNextPos != NULL) { + while ( *pCurrentPos != '\0' && + (*pCurrentPos == ' ' || *pCurrentPos == '\t') ) + pCurrentPos++; + pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos); + pCurrentPos = pNextPos+1; + pNextPos = index(pCurrentPos, '\n'); + pszValue = (pNextPos == NULL ? + strdup(pCurrentPos) : + strndup(pCurrentPos, pNextPos - pCurrentPos)); + pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1); + + /* Add SSL Conf Command */ + iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue); + if (iConfErr > 0) { + pThis->pEngine->dbgprint("relpTcpSetSslConfCmd_ossl: " + "Successfully added Command '%s':'%s'\n", + pszCmd, pszValue); + } + else { + snprintf(errmsg, sizeof(errmsg), + "Failed to added Command: %s:'%s' " + "in relpTcpSetSslConfCmd_ossl with error '%d'", + pszCmd, pszValue, iConfErr); + callOnErr(pThis, errmsg, RELP_RET_ERR_TLS); + } + + free(pszCmd); + free(pszValue); + } else { + /* Abort further parsing */ + pCurrentPos = NULL; + } + } + while (pCurrentPos != NULL); + + /* Finalize SSL Conf */ + iConfErr = SSL_CONF_CTX_finish(cctx); + if (!iConfErr) { + snprintf(errmsg, sizeof(errmsg), + "Failed setting openssl command parameters: %s" + "Open ssl error info may follow in next messages", + tlsConfigCmd); + callOnErr(pThis, errmsg, RELP_RET_ERR_TLS); + relpTcpLastSSLErrorMsg(0, pThis, "relpTcpSetSslConfCmd_ossl"); + } + } +#else + snprintf(errmsg, sizeof(errmsg), + "Warning: OpenSSL Version too old to set tlsConfigCmd ('%s')" + "by SSL_CONF_cmd API.", + tlsConfigCmd); + callOnErr(pThis, errmsg, RELP_RET_ERR_TLS); +#endif + } + +finalize_it: + LEAVE_RELPFUNC; +} + static relpRetVal LIBRELP_ATTR_NONNULL() relpTcpAcceptConnReqInitTLS_ossl(relpTcp_t *const pThis, relpSrv_t *const pSrv) { @@ -1581,6 +1695,9 @@ SSL_set_verify(pThis->ssl, SSL_VERIFY_NONE, verify_callback); } + /*set Server state */ + pThis->sslState = osslServer; + /* Create BIO from ptcp socket! */ client = BIO_new_socket(pThis->sock, BIO_CLOSE /*BIO_NOCLOSE*/); pThis->pEngine->dbgprint("relpTcpAcceptConnReqInitTLS_ossl: Init client BIO[%p] done\n", (void *)client); @@ -1596,7 +1713,6 @@ SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */ pThis->bTLSActive = 1; - pThis->sslState = osslServer; /*set Server state */ /* We now do the handshake */ CHKRet(relpTcpRtryHandshake(pThis)); @@ -1645,6 +1761,12 @@ CHKRet(relpTcpInitTLS(pThis)); } + /*set client state */ + pThis->sslState = osslClient; + + /* Set TLS Options if configured */ + CHKRet(relpTcpSetSslConfCmd_ossl(pThis, pThis->tlsConfigCmd)); + /* Create BIO from ptcp socket! */ conn = BIO_new_socket(pThis->sock, BIO_CLOSE /*BIO_NOCLOSE*/); pThis->pEngine->dbgprint("relpTcpConnectTLSInit: Init conn BIO[%p] done\n", (void *)conn); @@ -1660,7 +1782,6 @@ pThis->pEngine->dbgprint("relpTcpConnectTLSInit: TLS Mode\n"); if(!(pThis->ssl = SSL_new(ctx))) { relpTcpLastSSLErrorMsg(0, pThis, "relpTcpConnectTLSInit"); -/* errmsg.LogError(0, RS_RET_NO_ERRCODE, "Error creating an SSL context"); */ ABORT_FINALIZE(RELP_RET_IO_ERR); } @@ -1676,7 +1797,6 @@ SSL_set_bio(pThis->ssl, conn, conn); SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/ - pThis->sslState = osslClient; /*set client state */ /* Perform the TLS handshake */ pThis->pEngine->dbgprint("relpTcpConnectTLSInit: try handshake for [%p]\n", (void *)pThis); @@ -1716,6 +1836,10 @@ if(!called_openssl_global_init) { CHKRet(relpTcpInitTLS(pThis)); } + + /* Set TLS Options if configured */ + CHKRet(relpTcpSetSslConfCmd_ossl(pThis, pThis->tlsConfigCmd)); + pThis->pEngine->dbgprint("relpTcpLstnInitTLS openssl init done \n"); finalize_it: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/src/tcp.h new/librelp-1.5.0/src/tcp.h --- old/librelp-1.4.0/src/tcp.h 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/src/tcp.h 2020-01-14 10:22:06.000000000 +0100 @@ -131,6 +131,7 @@ char *caCertFile; char *ownCertFile; char *privKeyFile; + char *tlsConfigCmd; /**< optional configuration command property for TLS libs **/ #ifdef ENABLE_TLS gnutls_session_t session; gnutls_dh_params_t dh_params; /**< server DH parameters for anon mode */ @@ -171,6 +172,7 @@ relpRetVal relpTcpSetCACert(relpTcp_t *pThis, char *cert); relpRetVal relpTcpSetOwnCert(relpTcp_t *pThis, char *cert); relpRetVal relpTcpSetPrivKey(relpTcp_t *pThis, char *cert); +relpRetVal relpTcpSetTlsConfigCmd(relpTcp_t *pThis, char *cfgcmd); relpRetVal relpTcpSetPermittedPeers(relpTcp_t *pThis, relpPermittedPeers_t *pPeers); relpRetVal LIBRELP_ATTR_NONNULL() relpTcpRtryHandshake(relpTcp_t *pThis); relpRetVal relpTcpSetUsrPtr(relpTcp_t *pThis, void *pUsr); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/Makefile.am new/librelp-1.5.0/tests/Makefile.am --- old/librelp-1.4.0/tests/Makefile.am 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/tests/Makefile.am 2020-01-14 10:22:06.000000000 +0100 @@ -23,6 +23,7 @@ tls-basic-certvalid.sh \ tls-basic-fingerprint.sh \ tls-basic-wildcard.sh \ + tls-basic-tlscommand.sh \ tls-receiver-abort.sh \ tls-missing-param-sender.sh \ tls-missing-param-receiver.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/Makefile.in new/librelp-1.5.0/tests/Makefile.in --- old/librelp-1.4.0/tests/Makefile.in 2019-03-04 10:19:19.000000000 +0100 +++ new/librelp-1.5.0/tests/Makefile.in 2020-01-14 10:23:28.000000000 +0100 @@ -543,6 +543,7 @@ tls-basic-certvalid.sh \ tls-basic-fingerprint.sh \ tls-basic-wildcard.sh \ + tls-basic-tlscommand.sh \ tls-receiver-abort.sh \ tls-missing-param-sender.sh \ tls-missing-param-receiver.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/receive.c new/librelp-1.5.0/tests/receive.c --- old/librelp-1.4.0/tests/receive.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/tests/receive.c 2020-01-14 10:22:06.000000000 +0100 @@ -221,6 +221,7 @@ char *caCertFile = NULL; char *myCertFile = NULL; char *myPrivKeyFile = NULL; + char *tlsConfigCmd = NULL; char *permittedPeer = NULL; char *authMode = NULL; int maxDataSize = 0; @@ -243,12 +244,13 @@ {"outfile", required_argument, 0, 'O'}, {"append-outfile", no_argument, 0, 'A'}, {"tls-lib", required_argument, 0, 'l'}, + {"tlsconfcmd", required_argument, 0, 'c'}, {"watchdog-timeout", required_argument, 0, 'W'}, {0, 0, 0, 0} }; - while((c = getopt_long(argc, argv, "a:Ae:F:l:m:o:O:P:p:TvW:x:y:z:", + while((c = getopt_long(argc, argv, "a:c:Ae:F:l:m:o:O:P:p:TvW:x:y:z:", long_options, &option_index)) != -1) { switch(c) { case 'a': @@ -257,6 +259,9 @@ case 'A': append_outfile = 1; break; + case 'c': + tlsConfigCmd = optarg; + break; case 'e': if((errFile = fopen((char*) optarg, "w")) == NULL) { perror(optarg); @@ -361,6 +366,15 @@ } } + if(tlsConfigCmd != NULL) { + if(bEnableTLS == 0) { + fprintf(stderr, "receive: tls config command were specified, but TLS was " + "not enabled! Will continue without TLS. To enable " + "it use parameter \"-T\"\n"); + goto done; + } + } + hdlr_enable(SIGTERM, terminate); hdlr_enable(SIGUSR1, do_exit); hdlr_enable(SIGALRM, watchdog_expired); @@ -406,6 +420,7 @@ if(bEnableTLS) { TRY(relpSrvEnableTLS2(pRelpSrv)); + TRY(relpSrvSetTlsConfigCmd(pRelpSrv, tlsConfigCmd)); if(authMode != NULL) { TRY(relpSrvSetAuthMode(pRelpSrv, authMode)); TRY(relpSrvSetCACert(pRelpSrv, caCertFile)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/send.c new/librelp-1.5.0/tests/send.c --- old/librelp-1.4.0/tests/send.c 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/tests/send.c 2020-01-14 10:22:06.000000000 +0100 @@ -240,6 +240,7 @@ char *caCertFile = NULL; char *myCertFile = NULL; char *myPrivKeyFile = NULL; + char *tlsConfigCmd = NULL; char *permittedPeer = NULL; char *authMode = NULL; const char *tlslib = NULL; @@ -263,6 +264,7 @@ {"authmode", required_argument, 0, 'a'}, {"errorfile", required_argument, 0, 'e'}, {"tls-lib", required_argument, 0, 'l'}, + {"tlsconfcmd", required_argument, 0, 'c'}, {"debugfile", required_argument, 0, DBGFILE}, {"num-messages", required_argument, 0, 'n'}, {"kill-on-msg", required_argument, 0, KILL_ON_MSG}, @@ -272,11 +274,14 @@ {0, 0, 0, 0} }; - while((c = getopt_long(argc, argv, "a:e:d:l:m:n:P:p:Tt:vx:y:z:", long_options, &option_index)) != -1) { + while((c = getopt_long(argc, argv, "a:c:e:d:l:m:n:P:p:Tt:vx:y:z:", long_options, &option_index)) != -1) { switch(c) { case 'a': authMode = optarg; break; + case 'c': + tlsConfigCmd = optarg; + break; case 'e': if((errFile = fopen(optarg, "w")) == NULL) { perror(optarg); @@ -384,7 +389,13 @@ } } - + if(tlsConfigCmd != NULL) { + if(bEnableTLS == 0) { + fprintf(stderr, "send: tls config command were specified, but TLS was " + "not enabled! To enable it use parameter \"-T\"\n"); + goto done; + } + } TRY(relpEngineConstruct(&pRelpEngine)); TRY(relpEngineSetDbgprint(pRelpEngine, verbose ? dbgprintf : NULL)); @@ -407,6 +418,7 @@ if(bEnableTLS) { TRY(relpCltEnableTLS(pRelpClt)); + TRY(relpCltSetTlsConfigCmd(pRelpClt, tlsConfigCmd)); if(authMode != NULL) { TRY(relpCltSetAuthMode(pRelpClt, authMode)); TRY(relpCltSetCACert(pRelpClt, caCertFile)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/test-framework.sh new/librelp-1.5.0/tests/test-framework.sh --- old/librelp-1.4.0/tests/test-framework.sh 2019-03-04 10:03:06.000000000 +0100 +++ new/librelp-1.5.0/tests/test-framework.sh 2020-01-14 10:22:06.000000000 +0100 @@ -107,20 +107,35 @@ # $1 is the value to check for # $2 (optinal) is the file to check check_output() { + if [ "$1" == "--check-only" ]; then + check_only="yes" + shift + else + check_only="no" + fi + EXPECTED="$1" if [ "$2" == "" ] ; then FILE_TO_CHECK="$OUTFILE" else FILE_TO_CHECK="$2" fi + grep $3 "$EXPECTED" $FILE_TO_CHECK > /dev/null if [ $? -ne 0 ]; then + if [ "$check_only" == "yes" ]; then + printf 'check_output did not yet succeed (check_only set)\n' + return 1 + fi printf "\nFAIL: expected message not found. Expected:\n" printf "%s\n" "$EXPECTED" printf "\n$FILE_TO_CHECK actually is:\n" cat $FILE_TO_CHECK exit 1 fi + if [ "$check_only" == "yes" ]; then + return 0 + fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librelp-1.4.0/tests/tls-basic-tlscommand.sh new/librelp-1.5.0/tests/tls-basic-tlscommand.sh --- old/librelp-1.4.0/tests/tls-basic-tlscommand.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/librelp-1.5.0/tests/tls-basic-tlscommand.sh 2020-01-14 10:22:06.000000000 +0100 @@ -0,0 +1,42 @@ +#!/bin/bash +. ${srcdir:=$(pwd)}/test-framework.sh + +function actual_test() { + startup_receiver --tls-lib $TEST_TLS_LIB -T -a "name" -x ${srcdir}/tls-certs/ca.pem \ + -y ${srcdir}/tls-certs/cert.pem -z ${srcdir}/tls-certs/key.pem \ + -P 'testbench.rsyslog.com' \ + --errorfile error.out.log \ + -c "Protocol=ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.2" + + echo 'Send Message...' + ./send --tls-lib $TEST_TLS_LIB -t 127.0.0.1 -p $TESTPORT -m "testmessage" -T -a "name" \ + -x ${srcdir}/tls-certs/ca.pem -y ${srcdir}/tls-certs/cert.pem \ + -z ${srcdir}/tls-certs/key.pem -P 'testbench.rsyslog.com' \ + -c "Protocol=-ALL,TLSv1.2" \ + --errorfile error.out.log \ + $OPT_VERBOSE + + stop_receiver + + # Test only supported for OpenSSL + if [ "$TEST_TLS_LIB" == "openssl" ]; then + check_output --check-only "OpenSSL Version too old" error.out.log + ret=$? + if [ $ret == 0 ]; then + echo "SKIP: OpenSSL Version too old" + exit 77 + else + if test -f "error.out.log"; then + check_output "error opening connection to remote peer" error.out.log + else + echo "SKIP: error.out.log was not created" + exit 77 + fi + + fi + fi +} + +do_tls_subtests +terminate +
