app-admin/syslog-ng/files/patches/syslog-ng-3.14.1-fix-tls-client.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173

From a4f7b9dc75c2b678466cc104d8ca111bd90fba11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= <laszlo.varady@balabit.com>
Date: Wed, 7 Mar 2018 18:35:09 +0100
Subject: [PATCH 1/3] tls: fix tls_context_load_key_and_cert()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

key_file and cert_file are optional (the client cert is not mandatory).

Signed-off-by: László Várady <laszlo.varady@balabit.com>
---
 lib/tlscontext.c                         | 9 +++++++++
 modules/afsocket/transport-mapper-inet.c | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/tlscontext.c b/lib/tlscontext.c
index 510ac2738d..b202c397f3 100644
--- a/lib/tlscontext.c
+++ b/lib/tlscontext.c
@@ -599,9 +599,18 @@ _are_key_and_cert_files_accessible(TLSContext *self)
          file_exists(self->cert_file);
 }
 
+static gboolean
+_client_key_and_cert_files_are_not_specified(TLSContext *self)
+{
+  return self->mode == TM_CLIENT && (!self->key_file && !self->cert_file);
+}
+
 static TLSContextLoadResult
 tls_context_load_key_and_cert(TLSContext *self)
 {
+  if (_client_key_and_cert_files_are_not_specified(self))
+    return TLS_CONTEXT_OK;
+
   if (!_are_key_and_cert_files_accessible(self))
     return TLS_CONTEXT_FILE_ACCES_ERROR;
   if (!SSL_CTX_use_PrivateKey_file(self->ssl_ctx, self->key_file, SSL_FILETYPE_PEM))
diff --git a/modules/afsocket/transport-mapper-inet.c b/modules/afsocket/transport-mapper-inet.c
index 80c0d21801..1afb34b33f 100644
--- a/modules/afsocket/transport-mapper-inet.c
+++ b/modules/afsocket/transport-mapper-inet.c
@@ -176,17 +176,17 @@ transport_mapper_inet_async_init(TransportMapper *s, TransportMapperAsyncInitCB
 
   TLSContextSetupResult tls_ctx_setup_res = tls_context_setup_context(self->tls_context);
 
+  const gchar *key = tls_context_get_key_file(self->tls_context);
+
   if (tls_ctx_setup_res == TLS_CONTEXT_SETUP_OK)
     {
-      const gchar *key = tls_context_get_key_file(self->tls_context);
-      if (secret_storage_contains_key(key))
+      if (key && secret_storage_contains_key(key))
         secret_storage_update_status(key, SECRET_STORAGE_SUCCESS);
       return func(func_args);
     }
 
   if (tls_ctx_setup_res == TLS_CONTEXT_SETUP_BAD_PASSWORD)
     {
-      const gchar *key = tls_context_get_key_file(self->tls_context);
       msg_error("Error setting up TLS context",
                 evt_tag_str("keyfile", key));
       call_finalize_init_args *args = g_new0(call_finalize_init_args, 1);

From 9e3eae23330442c9e58ae5ccc732457f2d0e694e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= <laszlo.varady@balabit.com>
Date: Wed, 7 Mar 2018 19:39:24 +0100
Subject: [PATCH 2/3] tlscontext: fix error logging of cert_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

file_exists() has a side effect: it logs when the file can't be opened.

Since the && operator is evaluated lazily, the error messages of cert_file
were not displayed when the first invocation of file_exists failed
(on key_file).

Signed-off-by: László Várady <laszlo.varady@balabit.com>
---
 lib/tlscontext.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/tlscontext.c b/lib/tlscontext.c
index b202c397f3..5a503387c4 100644
--- a/lib/tlscontext.c
+++ b/lib/tlscontext.c
@@ -595,8 +595,10 @@ tls_context_load_pkcs12(TLSContext *self)
 static gboolean
 _are_key_and_cert_files_accessible(TLSContext *self)
 {
-  return file_exists(self->key_file) &&
-         file_exists(self->cert_file);
+  gboolean key_file_exists = file_exists(self->key_file);
+  gboolean cert_file_exists = file_exists(self->cert_file);
+
+  return key_file_exists && cert_file_exists;
 }
 
 static gboolean

From 3eef78b6ac8016d3eb33b36bd98419d5b086767f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20V=C3=A1rady?= <laszlo.varady@balabit.com>
Date: Wed, 7 Mar 2018 19:43:41 +0100
Subject: [PATCH 3/3] tlscontext: rename file_exists() to is_file_accessible()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: László Várady <laszlo.varady@balabit.com>
---
 lib/tlscontext.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/tlscontext.c b/lib/tlscontext.c
index 5a503387c4..73015d2462 100644
--- a/lib/tlscontext.c
+++ b/lib/tlscontext.c
@@ -322,7 +322,7 @@ tls_session_free(TLSSession *self)
 }
 
 static gboolean
-file_exists(const gchar *fname)
+_is_file_accessible(const gchar *fname)
 {
   if (!fname)
     return FALSE;
@@ -444,7 +444,7 @@ _is_dh_valid(DH *dh)
 static DH *
 _load_dh_from_file(const gchar *dhparam_file)
 {
-  if (!file_exists(dhparam_file))
+  if (!_is_file_accessible(dhparam_file))
     return NULL;
 
   BIO *bio = BIO_new_file(dhparam_file, "r");
@@ -528,7 +528,7 @@ tls_context_setup_dh(TLSContext *self)
 static PKCS12 *
 _load_pkcs12_file(const gchar *pkcs12_file)
 {
-  if (!file_exists(pkcs12_file))
+  if (!_is_file_accessible(pkcs12_file))
     return NULL;
 
   FILE *p12_file = fopen(pkcs12_file, "rb");
@@ -595,10 +595,10 @@ tls_context_load_pkcs12(TLSContext *self)
 static gboolean
 _are_key_and_cert_files_accessible(TLSContext *self)
 {
-  gboolean key_file_exists = file_exists(self->key_file);
-  gboolean cert_file_exists = file_exists(self->cert_file);
+  gboolean key_file_accessible = _is_file_accessible(self->key_file);
+  gboolean cert_file_accessible = _is_file_accessible(self->cert_file);
 
-  return key_file_exists && cert_file_exists;
+  return key_file_accessible && cert_file_accessible;
 }
 
 static gboolean
@@ -650,10 +650,10 @@ tls_context_setup_context(TLSContext *self)
         goto error;
     }
 
-  if (file_exists(self->ca_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->ca_dir))
+  if (_is_file_accessible(self->ca_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->ca_dir))
     goto error;
 
-  if (file_exists(self->crl_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->crl_dir))
+  if (_is_file_accessible(self->crl_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->crl_dir))
     goto error;
 
   if (self->crl_dir)