Fix TLS-based destinations in case of a missing client key/cert

2018-05-12 16:02:02 +02:00
2 changed files with 101 additions and 1 deletions
--- a/syslog-ng-3.14.1-fix-tls-based-destinations.patch
+++ b/syslog-ng-3.14.1-fix-tls-based-destinations.patch
@ -0,0 +1,94 @@
+diff -ur syslog-ng-3.14.1.orig/lib/tlscontext.c syslog-ng-3.14.1/lib/tlscontext.c
+--- syslog-ng-3.14.1.orig/lib/tlscontext.c	2018-02-27 12:45:36.000000000 +0100
+++ syslog-ng-3.14.1/lib/tlscontext.c	2018-05-12 14:48:48.362107251 +0200
+@@ -322,7 +322,7 @@
+ }
+ 
+ static gboolean
+-file_exists(const gchar *fname)
+_is_file_accessible(const gchar *fname)
+ {
+   if (!fname)
+     return FALSE;
+@@ -444,7 +444,7 @@
+ static DH *
+ _load_dh_from_file(const gchar *dhparam_file)
+ {
+-  if (!file_exists(dhparam_file))
+  if (!_is_file_accessible(dhparam_file))
+     return NULL;
+ 
+   BIO *bio = BIO_new_file(dhparam_file, "r");
+@@ -528,7 +528,7 @@
+ static PKCS12 *
+ _load_pkcs12_file(const gchar *pkcs12_file)
+ {
+-  if (!file_exists(pkcs12_file))
+  if (!_is_file_accessible(pkcs12_file))
+     return NULL;
+ 
+   FILE *p12_file = fopen(pkcs12_file, "rb");
+@@ -595,13 +595,24 @@
+ static gboolean
+ _are_key_and_cert_files_accessible(TLSContext *self)
+ {
+-  return file_exists(self->key_file) &&
+-         file_exists(self->cert_file);
+  gboolean key_file_accessible = _is_file_accessible(self->key_file);
+  gboolean cert_file_accessible = _is_file_accessible(self->cert_file);
+
+  return key_file_accessible && cert_file_accessible;
+}
+
+static gboolean
+_client_key_and_cert_files_are_not_specified(TLSContext *self)
+{
+  return self->mode == TM_CLIENT && (!self->key_file && !self->cert_file);
+ }
+ 
+ static TLSContextLoadResult
+ tls_context_load_key_and_cert(TLSContext *self)
+ {
+  if (_client_key_and_cert_files_are_not_specified(self))
+    return TLS_CONTEXT_OK;
+
+   if (!_are_key_and_cert_files_accessible(self))
+     return TLS_CONTEXT_FILE_ACCES_ERROR;
+   if (!SSL_CTX_use_PrivateKey_file(self->ssl_ctx, self->key_file, SSL_FILETYPE_PEM))
+@@ -639,10 +650,10 @@
+         goto error;
+     }
+ 
+-  if (file_exists(self->ca_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->ca_dir))
+  if (_is_file_accessible(self->ca_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->ca_dir))
+     goto error;
+ 
+-  if (file_exists(self->crl_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->crl_dir))
+  if (_is_file_accessible(self->crl_dir) && !SSL_CTX_load_verify_locations(self->ssl_ctx, NULL, self->crl_dir))
+     goto error;
+ 
+   if (self->crl_dir)
+diff -ur syslog-ng-3.14.1.orig/modules/afsocket/transport-mapper-inet.c syslog-ng-3.14.1/modules/afsocket/transport-mapper-inet.c
+--- syslog-ng-3.14.1.orig/modules/afsocket/transport-mapper-inet.c	2018-02-27 12:45:36.000000000 +0100
+++ syslog-ng-3.14.1/modules/afsocket/transport-mapper-inet.c	2018-05-12 14:48:48.361107251 +0200
+@@ -176,17 +176,17 @@
+ 
+   TLSContextSetupResult tls_ctx_setup_res = tls_context_setup_context(self->tls_context);
+ 
+  const gchar *key = tls_context_get_key_file(self->tls_context);
+
+   if (tls_ctx_setup_res == TLS_CONTEXT_SETUP_OK)
+     {
+-      const gchar *key = tls_context_get_key_file(self->tls_context);
+-      if (secret_storage_contains_key(key))
+      if (key && secret_storage_contains_key(key))
+         secret_storage_update_status(key, SECRET_STORAGE_SUCCESS);
+       return func(func_args);
+     }
+ 
+   if (tls_ctx_setup_res == TLS_CONTEXT_SETUP_BAD_PASSWORD)
+     {
+-      const gchar *key = tls_context_get_key_file(self->tls_context);
+       msg_error("Error setting up TLS context",
+                 evt_tag_str("keyfile", key));
+       call_finalize_init_args *args = g_new0(call_finalize_init_args, 1);
--- a/syslog-ng.spec
+++ b/syslog-ng.spec
@ -2,7 +2,7 @@

 Name: syslog-ng
 Version: 3.14.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Next-generation syslog server

 Group: System Environment/Daemons
@ -13,6 +13,9 @@ Source1: syslog-ng.conf
 Source2: syslog-ng.logrotate
 Source3: syslog-ng.service

+# https://github.com/balabit/syslog-ng/pull/1917
+Patch1:  syslog-ng-3.14.1-fix-tls-based-destinations.patch
+
 BuildRequires: perl-generators
 BuildRequires: systemd-units
 BuildRequires: pkgconfig
@ -395,6 +398,9 @@ fi


 %changelog
+* Sat May 12 2018 My Karlsson <mk@acc.umu.se> - 3.14.1-5
+- Fix TLS-based destinations in case of a missing client key/cert (rhbz#1577485)
+
 * Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 3.14.1-4
 - Rebuilt for libjson-c.so.4 (json-c v0.13.1)