commit 4b664dbc32d22053ab6cd3f681c81d587af473eb Author: CentOS Sources Date: Tue May 16 06:07:52 2023 +0000 import rsyslog-8.2102.0-13.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8a200b6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/qpid-proton-0.34.0.tar.gz +SOURCES/rsyslog-8.2102.0.tar.gz +SOURCES/rsyslog-doc-8.2102.0.tar.gz diff --git a/.rsyslog.metadata b/.rsyslog.metadata new file mode 100644 index 0000000..e0fc0e7 --- /dev/null +++ b/.rsyslog.metadata @@ -0,0 +1,3 @@ +390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz +fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz +9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz diff --git a/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch b/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch new file mode 100644 index 0000000..e9a188d --- /dev/null +++ b/SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch @@ -0,0 +1,93 @@ +diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c +--- ./plugins/imjournal/imjournal.c.default-tag 2018-05-17 08:50:11.416418022 -0400 ++++ ./plugins/imjournal/imjournal.c 2018-05-17 08:53:02.884418022 -0400 +@@ -78,6 +78,7 @@ static struct configSettings_s { + int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */ + int bFsync; + int bRemote; ++ char *dfltTag; + } cs; + + static rsRetVal facilityHdlr(uchar **pp, void *pVal); +@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[] + { "usepid", eCmdHdlrString, 0 }, + { "workaroundjournalbug", eCmdHdlrBinary, 0 }, + { "fsync", eCmdHdlrBinary, 0 }, +- { "remote", eCmdHdlrBinary, 0 } ++ { "remote", eCmdHdlrBinary, 0 }, ++ { "defaulttag", eCmdHdlrGetWord, 0 } + }; + static struct cnfparamblk modpblk = + { CNFPARAMBLK_VERSION, +@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk = + #define DFLT_persiststateinterval 10 + #define DFLT_SEVERITY pri2sev(LOG_NOTICE) + #define DFLT_FACILITY pri2fac(LOG_USER) ++#define DFLT_TAG "journal" + + static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */ + +@@ -268,7 +271,7 @@ readjournal(void) + + /* Information from messages */ + char *message = NULL; +- char *sys_iden; ++ char *sys_iden = NULL; + char *sys_iden_help = NULL; + + const void *get; +@@ -331,7 +334,7 @@ readjournal(void) + if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) { + CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden)); + } else { +- CHKmalloc(sys_iden = strdup("journal")); ++ CHKmalloc(sys_iden = strdup(cs.dfltTag)); + } + + /* trying to get PID, default is "SYSLOG_PID" property */ +@@ -654,6 +657,11 @@ CODESTARTrunInput + "\"usepidfromsystem\" is depricated, use \"usepid\" instead"); + } + ++ if (cs.dfltTag == NULL) { ++ cs.dfltTag = strdup(DFLT_TAG); ++ } ++ ++ + if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) { + pidFieldName = "_PID"; + bPidFallBack = 0; +@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad + cs.bWorkAroundJournalBug = 1; + cs.bFsync = 0; + cs.bRemote = 0; ++ cs.dfltTag = NULL; + ENDbeginCnfLoad + + +@@ -754,6 +763,7 @@ BEGINfreeCnf + CODESTARTfreeCnf + free(cs.stateFile); + free(cs.usePid); ++ free(cs.dfltTag); + free(journalContext.cursor); + statsobj.Destruct(&(statsCounter.stats)); + ENDfreeCnf +@@ -832,6 +842,8 @@ CODESTARTsetModCnf + cs.bFsync = (int) pvals[i].val.d.n; + } else if (!strcmp(modpblk.descr[i].name, "remote")) { + cs.bRemote = (int) pvals[i].val.d.n; ++ } else if (!strcmp(modpblk.descr[i].name, "defaulttag")) { ++ cs.dfltTag = (char *)es_str2cstr(pvals[i].val.d.estr, NULL); + } else { + dbgprintf("imjournal: program error, non-handled " + "param '%s' in beginCnfLoad\n", modpblk.descr[i].name); +@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr + facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary, + NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID)); ++ CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournaldefaulttag", 0, eCmdHdlrGetWord, ++ NULL, &cs.dfltTag, STD_LOADABLE_MODULE_ID)); + ENDmodInit + /* vim:set ai: + */ diff --git a/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch b/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch new file mode 100644 index 0000000..224533e --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch @@ -0,0 +1,908 @@ +diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c +index 3e27ee4d36..d57dd5661c 100644 +--- a/plugins/imdiag/imdiag.c ++++ b/plugins/imdiag/imdiag.c +@@ -566,28 +566,33 @@ setInjectDelayMode(void __attribute__((unused)) *pVal, uchar *const pszMode) + } + + +-static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal) ++static rsRetVal ++addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal) + { ++ tcpLstnParams_t *cnf_params = NULL; + DEFiRet; + +- if(pOurTcpsrv == NULL) { +- CHKiRet(tcpsrv.Construct(&pOurTcpsrv)); +- CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax)); +- CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost)); +- CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData)); +- CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks)); +- CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose)); +- CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose)); +- CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode)); +- CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived)); +- CHKiRet(tcpsrv.SetLstnPortFileName(pOurTcpsrv, pszLstnPortFileName)); +- /* now set optional params, but only if they were actually configured */ +- if(pszStrmDrvrAuthMode != NULL) { +- CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode)); +- } +- if(pPermPeersRoot != NULL) { +- CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot)); +- } ++ if(pOurTcpsrv != NULL) { ++ LogError(0, NO_ERRCODE, "imdiag: only a single listener is supported, " ++ "trying to add a second"); ++ ABORT_FINALIZE(RS_RET_ERR); ++ } ++ CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t))); ++ CHKiRet(tcpsrv.Construct(&pOurTcpsrv)); ++ CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax)); ++ CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost)); ++ CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData)); ++ CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks)); ++ CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose)); ++ CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose)); ++ CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode)); ++ CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived)); ++ /* now set optional params, but only if they were actually configured */ ++ if(pszStrmDrvrAuthMode != NULL) { ++ CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode)); ++ } ++ if(pPermPeersRoot != NULL) { ++ CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot)); + } + + /* initialized, now add socket */ +@@ -595,7 +600,11 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa + UCHAR_CONSTANT("imdiag") : pszInputName)); + CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, (uchar*)"imdiag")); + /* we support octect-counted frame (constant 1 below) */ +- tcpsrv.configureTCPListen(pOurTcpsrv, pNewVal, 1, NULL, pszLstnPortFileName); ++ cnf_params->pszPort = pNewVal; ++ cnf_params->bSuppOctetFram = 1; ++ CHKmalloc(cnf_params->pszLstnPortFileName = (const uchar*) strdup((const char*)pszLstnPortFileName)); ++ tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params); ++ cnf_params = NULL; + + finalize_it: + if(iRet != RS_RET_OK) { +@@ -603,7 +612,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa + if(pOurTcpsrv != NULL) + tcpsrv.Destruct(&pOurTcpsrv); + } +- free(pNewVal); ++ free(cnf_params); + RETiRet; + } + +@@ -760,6 +769,7 @@ CODESTARTmodExit + + /* free some globals to keep valgrind happy */ + free(pszInputName); ++fprintf(stderr, "FINAL FREE %p\n", pszLstnPortFileName); + free(pszLstnPortFileName); + free(pszStrmDrvrAuthMode); + +diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c +index e0cab01664..4041e88b14 100644 +--- a/plugins/imgssapi/imgssapi.c ++++ b/plugins/imgssapi/imgssapi.c +@@ -334,34 +334,38 @@ static rsRetVal + actGSSListener(uchar *port) + { + DEFiRet; ++ tcpLstnParams_t *cnf_params = NULL; + gsssrv_t *pGSrv = NULL; + +- if(pOurTcpsrv == NULL) { +- /* first create/init the gsssrv "object" */ +- if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL) +- ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY); +- +- pGSrv->allowedMethods = ALLOWEDMETHOD_GSS; +- if(bPermitPlainTcp) +- pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP; +- /* gsssrv initialized */ +- +- CHKiRet(tcpsrv.Construct(&pOurTcpsrv)); +- CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv)); +- CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize)); +- CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct)); +- CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost)); +- CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData)); +- CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks)); +- CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept)); +- CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose)); +- CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose)); +- CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi"))); +- CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive)); +- CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi"))); +- tcpsrv.configureTCPListen(pOurTcpsrv, port, 1, NULL, NULL); +- CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv)); +- } ++ assert(pOurTcpsrv == NULL); ++ CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t))); ++ /* first create/init the gsssrv "object" */ ++ if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL) ++ ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY); ++ ++ pGSrv->allowedMethods = ALLOWEDMETHOD_GSS; ++ if(bPermitPlainTcp) ++ pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP; ++ /* gsssrv initialized */ ++ ++ CHKiRet(tcpsrv.Construct(&pOurTcpsrv)); ++ CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv)); ++ CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize)); ++ CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct)); ++ CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost)); ++ CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData)); ++ CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks)); ++ CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept)); ++ CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose)); ++ CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose)); ++ CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi"))); ++ CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive)); ++ CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi"))); ++ cnf_params->pszPort = port; ++ cnf_params->bSuppOctetFram = 1; ++ tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params); ++ CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv)); ++ cnf_params = NULL; + + finalize_it: + if(iRet != RS_RET_OK) { +@@ -370,6 +374,7 @@ actGSSListener(uchar *port) + tcpsrv.Destruct(&pOurTcpsrv); + free(pGSrv); + } ++ free(cnf_params); + RETiRet; + } + +diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c +index cf74d4c616..c336e6c24d 100644 +--- a/plugins/imtcp/imtcp.c ++++ b/plugins/imtcp/imtcp.c +@@ -4,7 +4,7 @@ + * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c, + * which at the time of the rsyslog fork was BSD-licensed) + * +- * Copyright 2007-2017 Adiscon GmbH. ++ * Copyright 2007-2020 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -112,9 +112,7 @@ static struct configSettings_s { + } cs; + + struct instanceConf_s { +- uchar *pszBindPort; /* port to bind to */ +- uchar *pszLstnPortFileName; /* file dynamic port is written to */ +- uchar *pszBindAddr; /* IP to bind socket to */ ++ tcpLstnParams_t *cnf_params; /**< listener config parameters */ + uchar *pszBindRuleset; /* name of ruleset to bind to */ + ruleset_t *pBindRuleset; /* ruleset to bind listener to (use system default if unspecified) */ + uchar *pszInputName; /* value for inputname property, NULL is OK and handled by core engine */ +@@ -122,7 +120,6 @@ struct instanceConf_s { + sbool bSPFramingFix; + unsigned int ratelimitInterval; + unsigned int ratelimitBurst; +- int bSuppOctetFram; + struct instanceConf_s *next; + }; + +@@ -288,19 +285,20 @@ setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID) + static rsRetVal + createInstance(instanceConf_t **pinst) + { +- instanceConf_t *inst; ++ instanceConf_t *inst = NULL; ++ + DEFiRet; + CHKmalloc(inst = malloc(sizeof(instanceConf_t))); ++ CHKmalloc(inst->cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t))); + inst->next = NULL; + inst->pszBindRuleset = NULL; + inst->pszInputName = NULL; +- inst->pszBindAddr = NULL; + inst->dfltTZ = NULL; +- inst->bSuppOctetFram = -1; /* unset */ ++ inst->cnf_params->bSuppOctetFram = -1; /* unset */ + inst->bSPFramingFix = 0; + inst->ratelimitInterval = 0; + inst->ratelimitBurst = 10000; +- inst->pszLstnPortFileName = NULL; ++ inst->cnf_params->pszLstnPortFileName = NULL; + + /* node created, let's add to config */ + if(loadModConf->tail == NULL) { +@@ -312,6 +310,9 @@ createInstance(instanceConf_t **pinst) + + *pinst = inst; + finalize_it: ++ if(iRet != RS_RET_OK) { ++ free(inst); ++ } + RETiRet; + } + +@@ -328,7 +329,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal) + + CHKiRet(createInstance(&inst)); + +- CHKmalloc(inst->pszBindPort = ustrdup((pNewVal == NULL || *pNewVal == '\0') ++ CHKmalloc(inst->cnf_params->pszPort = ustrdup((pNewVal == NULL || *pNewVal == '\0') + ? (uchar*) "10514" : pNewVal)); + if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) { + inst->pszBindRuleset = NULL; +@@ -336,14 +337,14 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal) + CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset)); + } + if((cs.lstnIP == NULL) || (cs.lstnIP[0] == '\0')) { +- inst->pszBindAddr = NULL; ++ inst->cnf_params->pszAddr = NULL; + } else { +- CHKmalloc(inst->pszBindAddr = ustrdup(cs.lstnIP)); ++ CHKmalloc(inst->cnf_params->pszAddr = ustrdup(cs.lstnIP)); + } + if((cs.lstnPortFile == NULL) || (cs.lstnPortFile[0] == '\0')) { +- inst->pszBindAddr = NULL; ++ inst->cnf_params->pszAddr = NULL; + } else { +- CHKmalloc(inst->pszLstnPortFileName = ustrdup(cs.lstnPortFile)); ++ CHKmalloc(inst->cnf_params->pszLstnPortFileName = ustrdup(cs.lstnPortFile)); + } + + if((cs.pszInputName == NULL) || (cs.pszInputName[0] == '\0')) { +@@ -351,7 +352,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal) + } else { + CHKmalloc(inst->pszInputName = ustrdup(cs.pszInputName)); + } +- inst->bSuppOctetFram = cs.bSuppOctetFram; ++ inst->cnf_params->bSuppOctetFram = cs.bSuppOctetFram; + + finalize_it: + free(pNewVal); +@@ -407,7 +408,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst) + } + + /* initialized, now add socket and listener params */ +- DBGPRINTF("imtcp: trying to add port *:%s\n", inst->pszBindPort); ++ DBGPRINTF("imtcp: trying to add port *:%s\n", inst->cnf_params->pszPort); + CHKiRet(tcpsrv.SetRuleset(pOurTcpsrv, inst->pBindRuleset)); + CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, inst->pszInputName == NULL ? + UCHAR_CONSTANT("imtcp") : inst->pszInputName)); +@@ -416,12 +417,12 @@ addListner(modConfData_t *modConf, instanceConf_t *inst) + CHKiRet(tcpsrv.SetbSPFramingFix(pOurTcpsrv, inst->bSPFramingFix)); + CHKiRet(tcpsrv.SetLinuxLikeRatelimiters(pOurTcpsrv, inst->ratelimitInterval, inst->ratelimitBurst)); + +- if((ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) == 0 && inst->pszLstnPortFileName == NULL) +- || ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) < 0) { +- CHKmalloc(inst->pszBindPort = (uchar*)strdup("514")); ++ if((ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) == 0 ++ && inst->cnf_params->pszLstnPortFileName == NULL) ++ || ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) < 0) { ++ CHKmalloc(inst->cnf_params->pszPort = (uchar*)strdup("514")); + } +- tcpsrv.configureTCPListen(pOurTcpsrv, inst->pszBindPort, inst->bSuppOctetFram, +- inst->pszBindAddr, inst->pszLstnPortFileName); ++ tcpsrv.configureTCPListen(pOurTcpsrv, inst->cnf_params); + + finalize_it: + if(iRet != RS_RET_OK) { +@@ -456,9 +457,9 @@ CODESTARTnewInpInst + if(!pvals[i].bUsed) + continue; + if(!strcmp(inppblk.descr[i].name, "port")) { +- inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); ++ inst->cnf_params->pszPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(inppblk.descr[i].name, "address")) { +- inst->pszBindAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); ++ inst->cnf_params->pszAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(inppblk.descr[i].name, "name")) { + inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(inppblk.descr[i].name, "defaulttz")) { +@@ -468,13 +469,13 @@ CODESTARTnewInpInst + } else if(!strcmp(inppblk.descr[i].name, "ruleset")) { + inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(inppblk.descr[i].name, "supportoctetcountedframing")) { +- inst->bSuppOctetFram = (int) pvals[i].val.d.n; ++ inst->cnf_params->bSuppOctetFram = (int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "ratelimit.burst")) { + inst->ratelimitBurst = (unsigned int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "ratelimit.interval")) { + inst->ratelimitInterval = (unsigned int) pvals[i].val.d.n; + } else if(!strcmp(inppblk.descr[i].name, "listenportfilename")) { +- inst->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); ++ inst->cnf_params->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else { + dbgprintf("imtcp: program error, non-handled " + "param '%s'\n", inppblk.descr[i].name); +@@ -656,7 +657,7 @@ std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, insta + { + LogError(0, NO_ERRCODE, "imtcp: ruleset '%s' for port %s not found - " + "using default ruleset instead", inst->pszBindRuleset, +- inst->pszBindPort); ++ inst->cnf_params->pszPort); + } + + BEGINcheckCnf +@@ -664,8 +665,8 @@ BEGINcheckCnf + CODESTARTcheckCnf + for(inst = pModConf->root ; inst != NULL ; inst = inst->next) { + std_checkRuleset(pModConf, inst); +- if(inst->bSuppOctetFram == FRAMING_UNSET) +- inst->bSuppOctetFram = pModConf->bSuppOctetFram; ++ if(inst->cnf_params->bSuppOctetFram == FRAMING_UNSET) ++ inst->cnf_params->bSuppOctetFram = pModConf->bSuppOctetFram; + } + if(pModConf->root == NULL) { + LogError(0, RS_RET_NO_LISTNERS , "imtcp: module loaded, but " +@@ -713,12 +714,9 @@ CODESTARTfreeCnf + free(pModConf->permittedPeers); + } + for(inst = pModConf->root ; inst != NULL ; ) { +- free(inst->pszBindPort); +- free(inst->pszLstnPortFileName); +- free(inst->pszBindAddr); +- free(inst->pszBindRuleset); +- free(inst->pszInputName); +- free(inst->dfltTZ); ++ free((void*)inst->pszBindRuleset); ++ free((void*)inst->pszInputName); ++ free((void*)inst->dfltTZ); + del = inst; + inst = inst->next; + free(del); +diff --git a/runtime/netstrm.c b/runtime/netstrm.c +index 8a394a02eb..2c1db46378 100644 +--- a/runtime/netstrm.c ++++ b/runtime/netstrm.c +@@ -12,12 +12,18 @@ + * to carry out its work (including, and most importantly, transport + * drivers). + * ++ * Note on processing: ++ * - Initiating a listener may be driver-specific, but in regard to TLS/non-TLS ++ * it actually is not. This is because TLS is negotiated after a connection ++ * has been established. So it is the "acceptConnReq" driver entry where TLS ++ * params need to be applied. ++ * + * Work on this module begun 2008-04-17 by Rainer Gerhards. This code + * borrows from librelp's tcp.c/.h code. librelp is dual licensed and + * Rainer Gerhards and Adiscon GmbH have agreed to permit using the code + * under the terms of the GNU Lesser General Public License. + * +- * Copyright 2007-2009 Rainer Gerhards and Adiscon GmbH. ++ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -134,18 +140,17 @@ AcceptConnReq(netstrm_t *pThis, netstrm_t **ppNew) + * pLstnPort must point to a port name or number. NULL is NOT permitted. + * rgerhards, 2008-04-22 + */ +-static rsRetVal ++static rsRetVal ATTR_NONNULL(1,3,5) + LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, +- uchar *pszLstnPortFileName) ++ const int iSessMax, const tcpLstnParams_t *const cnf_params) + { + DEFiRet; + + ISOBJ_TYPE_assert(pNS, netstrms); + assert(fAddLstn != NULL); +- assert(pLstnPort != NULL); ++ assert(cnf_params->pszPort != NULL); + +- CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName)); ++ CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params)); + + finalize_it: + RETiRet; +diff --git a/runtime/netstrm.h b/runtime/netstrm.h +index 2e28d7e2e6..4ca35805e7 100644 +--- a/runtime/netstrm.h ++++ b/runtime/netstrm.h +@@ -1,6 +1,6 @@ + /* Definitions for the stream-based netstrmworking class. + * +- * Copyright 2007, 2008 Rainer Gerhards and Adiscon GmbH. ++ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -24,6 +24,7 @@ + #ifndef INCLUDED_NETSTRM_H + #define INCLUDED_NETSTRM_H + ++#include "tcpsrv.h" + #include "netstrms.h" + + /* the netstrm object */ +@@ -31,6 +32,7 @@ struct netstrm_s { + BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */ + nsd_t *pDrvrData; /**< the driver's data elements (at most other places, this is called pNsd) */ + nsd_if_t Drvr; /**< our stream driver */ ++ uchar *pszDrvrAuthMode; /**< auth mode of the stream driver to use */ + void *pUsr; /**< pointer to user-provided data structure */ + netstrms_t *pNS; /**< pointer to our netstream subsystem object */ + }; +@@ -76,8 +78,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */ + rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl); + rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString); + /* v11 -- Parameter pszLstnFileName added to LstnInit*/ +- rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName); ++ rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*), ++ const int iSessMax, const tcpLstnParams_t *const cnf_params); + /* v12 -- two new binary flags added to gtls driver enabling stricter operation */ + rsRetVal (*SetDrvrCheckExtendedKeyUsage)(netstrm_t *pThis, int ChkExtendedKeyUsage); + rsRetVal (*SetDrvrPrioritizeSAN)(netstrm_t *pThis, int prioritizeSan); +diff --git a/runtime/nsd.h b/runtime/nsd.h +index e862348fd6..eecffed05e 100644 +--- a/runtime/nsd.h ++++ b/runtime/nsd.h +@@ -84,8 +84,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */ + rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime); + rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString); + /* v12 -- parameter pszLstnPortFileName added to LstnInit()*/ +- rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName); ++ rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*), ++ const int iSessMax, const tcpLstnParams_t *const cnf_params); + /* v13 -- two new binary flags added to gtls driver enabling stricter operation */ + rsRetVal (*SetCheckExtendedKeyUsage)(nsd_t *pThis, int ChkExtendedKeyUsage); + rsRetVal (*SetPrioritizeSAN)(nsd_t *pThis, int prioritizeSan); +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index da90c2e096..55f6713d62 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -1692,14 +1692,13 @@ Abort(nsd_t *pNsd) + * a session, but not during listener setup. + * gerhards, 2008-04-25 + */ +-static rsRetVal ++static rsRetVal ATTR_NONNULL(1,3,5) + LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, +- uchar *pszLstnPortFileName) ++ const int iSessMax, const tcpLstnParams_t *const cnf_params) + { + DEFiRet; + CHKiRet(gtlsGlblInitLstn()); +- iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName); ++ iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params); + finalize_it: + RETiRet; + } +@@ -1785,6 +1784,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) + FINALIZE; + } + /* copy Properties to pnew first */ ++dbgprintf("RGER: pThis %p pNew %p, authMode %d\n", pThis, pNew, pThis->authMode); + pNew->authMode = pThis->authMode; + pNew->permitExpiredCerts = pThis->permitExpiredCerts; + pNew->pPermPeers = pThis->pPermPeers; +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 431ea738b8..79347916e4 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -1308,16 +1308,15 @@ Abort(nsd_t *pNsd) + */ + static rsRetVal + LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName) ++ const int iSessMax, const tcpLstnParams_t *const cnf_params) + { + DEFiRet; + + dbgprintf("LstnInit for openssl: entering LstnInit (%p) for %s:%s SessMax=%d\n", +- fAddLstn, pLstnIP, pLstnPort, iSessMax); ++ fAddLstn, cnf_params->pszAddr, cnf_params->pszPort, iSessMax); + + /* Init TCP Listener using base ptcp class */ +- iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, +- iSessMax, pszLstnPortFileName); ++ iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params); + RETiRet; + } + +diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c +index c35138fb7a..2f9e77ba03 100644 +--- a/runtime/nsd_ptcp.c ++++ b/runtime/nsd_ptcp.c +@@ -474,10 +474,9 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) + * number of sessions permitted. + * rgerhards, 2008-04-22 + */ +-static rsRetVal ++static rsRetVal ATTR_NONNULL(1,3,5) + LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), +- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, +- uchar *pszLstnPortFileName) ++ const int iSessMax, const tcpLstnParams_t *const cnf_params) + { + DEFiRet; + netstrm_t *pNewStrm = NULL; +@@ -497,20 +496,20 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), + + ISOBJ_TYPE_assert(pNS, netstrms); + assert(fAddLstn != NULL); +- assert(pLstnPort != NULL); ++ assert(cnf_params->pszPort != NULL); + assert(iSessMax >= 0); + +- dbgprintf("creating tcp listen socket on port %s\n", pLstnPort); ++ dbgprintf("creating tcp listen socket on port %s\n", cnf_params->pszPort); + + memset(&hints, 0, sizeof(hints)); + hints.ai_flags = AI_PASSIVE; + hints.ai_family = glbl.GetDefPFFamily(); + hints.ai_socktype = SOCK_STREAM; + +- error = getaddrinfo((char*)pLstnIP, (char*) pLstnPort, &hints, &res); ++ error = getaddrinfo((const char*)cnf_params->pszAddr, (const char*) cnf_params->pszPort, &hints, &res); + if(error) { + LogError(0, RS_RET_INVALID_PORT, "error querying port '%s': %s", +- pLstnPort, gai_strerror(error)); ++ cnf_params->pszAddr, gai_strerror(error)); + ABORT_FINALIZE(RS_RET_INVALID_PORT); + } + +@@ -622,9 +621,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), + r->ai_addrlen = socklen_r; + savecast.sa = (struct sockaddr*)r->ai_addr; + port_override = (isIPv6) ? savecast.ipv6->sin6_port : savecast.ipv4->sin_port; +- if(pszLstnPortFileName != NULL) { ++ if(cnf_params->pszLstnPortFileName != NULL) { + FILE *fp; +- if((fp = fopen((const char*)pszLstnPortFileName, "w+")) == NULL) { ++ if((fp = fopen((const char*)cnf_params->pszLstnPortFileName, "w+")) == NULL) { + LogError(errno, RS_RET_IO_ERROR, "nsd_ptcp: ListenPortFileName: " + "error while trying to open file"); + ABORT_FINALIZE(RS_RET_IO_ERROR); +diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h +index 137b7c3ce7..1c91718c19 100644 +--- a/runtime/nsd_ptcp.h ++++ b/runtime/nsd_ptcp.h +@@ -1,6 +1,6 @@ + /* An implementation of the nsd interface for plain tcp sockets. + * +- * Copyright 2007-2012 Adiscon GmbH. ++ * Copyright 2007-2020 Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -23,6 +23,7 @@ + #define INCLUDED_NSD_PTCP_H + + #include ++#include "tcpsrv.h" + + #include "nsd.h" + typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */ +diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c +index 58528c81ec..845e944582 100644 +--- a/runtime/tcps_sess.c ++++ b/runtime/tcps_sess.c +@@ -194,8 +194,8 @@ SetLstnInfo(tcps_sess_t *pThis, tcpLstnPortList_t *pLstnInfo) + assert(pLstnInfo != NULL); + pThis->pLstnInfo = pLstnInfo; + /* set cached elements */ +- pThis->bSuppOctetFram = pLstnInfo->bSuppOctetFram; +- pThis->bSPFramingFix = pLstnInfo->bSPFramingFix; ++ pThis->bSuppOctetFram = pLstnInfo->cnf_params->bSuppOctetFram; ++ pThis->bSPFramingFix = pLstnInfo->cnf_params->bSPFramingFix; + RETiRet; + } + +@@ -235,6 +235,7 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG + DEFiRet; + + ISOBJ_TYPE_assert(pThis, tcps_sess); ++ const tcpLstnParams_t *const cnf_params = pThis->pLstnInfo->cnf_params; + + if(pThis->iMsg == 0) { + DBGPRINTF("discarding zero-sized message\n"); +@@ -249,15 +250,15 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG + /* we now create our own message object and submit it to the queue */ + CHKiRet(msgConstructWithTime(&pMsg, stTime, ttGenTime)); + MsgSetRawMsg(pMsg, (char*)pThis->pMsg, pThis->iMsg); +- MsgSetInputName(pMsg, pThis->pLstnInfo->pInputName); +- if(pThis->pLstnInfo->dfltTZ[0] != '\0') +- MsgSetDfltTZ(pMsg, (char*) pThis->pLstnInfo->dfltTZ); ++ MsgSetInputName(pMsg, cnf_params->pInputName); ++ if(cnf_params->dfltTZ[0] != '\0') ++ MsgSetDfltTZ(pMsg, (char*) cnf_params->dfltTZ); + MsgSetFlowControlType(pMsg, pThis->pSrv->bUseFlowControl + ? eFLOWCTL_LIGHT_DELAY : eFLOWCTL_NO_DELAY); + pMsg->msgFlags = NEEDS_PARSING | PARSE_HOSTNAME; + MsgSetRcvFrom(pMsg, pThis->fromHost); + CHKiRet(MsgSetRcvFromIP(pMsg, pThis->fromHostIP)); +- MsgSetRuleset(pMsg, pThis->pLstnInfo->pRuleset); ++ MsgSetRuleset(pMsg, cnf_params->pRuleset); + + STATSCOUNTER_INC(pThis->pLstnInfo->ctrSubmit, pThis->pLstnInfo->mutCtrSubmit); + ratelimitAddMsg(pThis->pLstnInfo->ratelimiter, pMultiSub, pMsg); +diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c +index 76a50357c3..ab9573e5b8 100644 +--- a/runtime/tcpsrv.c ++++ b/runtime/tcpsrv.c +@@ -123,9 +123,7 @@ static int wrkrRunning; + * rgerhards, 2009-05-21 + */ + static rsRetVal ATTR_NONNULL(1, 2) +-addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort, +- const int bSuppOctetFram, const uchar *const pszAddr, +- const uchar *const pszLstnPortFileName) ++addNewLstnPort(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params) + { + tcpLstnPortList_t *pEntry; + uchar statname[64]; +@@ -135,25 +133,17 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort, + + /* create entry */ + CHKmalloc(pEntry = (tcpLstnPortList_t*)calloc(1, sizeof(tcpLstnPortList_t))); +- CHKmalloc(pEntry->pszPort = ustrdup(pszPort)); ++ pEntry->cnf_params = cnf_params; + +- pEntry->pszAddr = NULL; +- /* only if a bind adress is defined copy it in struct */ +- if (pszAddr != NULL) { +- CHKmalloc(pEntry->pszAddr = ustrdup(pszAddr)); +- } +- +- strcpy((char*)pEntry->dfltTZ, (char*)pThis->dfltTZ); +- pEntry->bSPFramingFix = pThis->bSPFramingFix; ++ strcpy((char*)pEntry->cnf_params->dfltTZ, (char*)pThis->dfltTZ); ++ pEntry->cnf_params->bSPFramingFix = pThis->bSPFramingFix; ++ pEntry->cnf_params->pRuleset = pThis->pRuleset; + pEntry->pSrv = pThis; +- pEntry->pRuleset = pThis->pRuleset; +- pEntry->bSuppOctetFram = bSuppOctetFram; +- pEntry->pszLstnPortFileName = pszLstnPortFileName; + + /* we need to create a property */ +- CHKiRet(prop.Construct(&pEntry->pInputName)); +- CHKiRet(prop.SetString(pEntry->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName))); +- CHKiRet(prop.ConstructFinalize(pEntry->pInputName)); ++ CHKiRet(prop.Construct(&pEntry->cnf_params->pInputName)); ++ CHKiRet(prop.SetString(pEntry->cnf_params->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName))); ++ CHKiRet(prop.ConstructFinalize(pEntry->cnf_params->pInputName)); + + /* support statistics gathering */ + CHKiRet(ratelimitNew(&pEntry->ratelimiter, "tcperver", NULL)); +@@ -161,7 +151,7 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort, + ratelimitSetThreadSafe(pEntry->ratelimiter); + + CHKiRet(statsobj.Construct(&(pEntry->stats))); +- snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, pszPort); ++ snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, cnf_params->pszPort); + statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */ + CHKiRet(statsobj.SetName(pEntry->stats, statname)); + CHKiRet(statsobj.SetOrigin(pEntry->stats, pThis->pszOrigin)); +@@ -177,10 +167,8 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort, + finalize_it: + if(iRet != RS_RET_OK) { + if(pEntry != NULL) { +- free(pEntry->pszAddr); +- free(pEntry->pszPort); +- if(pEntry->pInputName != NULL) { +- prop.Destruct(&pEntry->pInputName); ++ if(pEntry->cnf_params->pInputName != NULL) { ++ prop.Destruct(&pEntry->cnf_params->pInputName); + } + if(pEntry->ratelimiter != NULL) { + ratelimitDestruct(pEntry->ratelimiter); +@@ -201,29 +189,25 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort, + * rgerhards, 2008-03-20 + */ + static rsRetVal ATTR_NONNULL(1,2) +-configureTCPListen(tcpsrv_t *const pThis, +- const uchar *const pszPort, +- const int bSuppOctetFram, +- const uchar *const pszAddr, +- const uchar *const pszLstnPortFileName) ++configureTCPListen(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params) + { ++ assert(cnf_params->pszPort != NULL); + int i; +- const uchar *pPort = pszPort; + DEFiRet; + +- assert(pszPort != NULL); + ISOBJ_TYPE_assert(pThis, tcpsrv); + + /* extract port */ ++ const uchar *pPort = cnf_params->pszPort; + i = 0; + while(isdigit((int) *pPort)) { + i = i * 10 + *pPort++ - '0'; + } + + if(i >= 0 && i <= 65535) { +- CHKiRet(addNewLstnPort(pThis, pszPort, bSuppOctetFram, pszAddr, pszLstnPortFileName)); ++ CHKiRet(addNewLstnPort(pThis, cnf_params)); + } else { +- LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", pszPort); ++ LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", cnf_params->pszPort); + } + + finalize_it: +@@ -331,8 +315,11 @@ deinit_tcp_listener(tcpsrv_t *const pThis) + /* free list of tcp listen ports */ + pEntry = pThis->pLstnPorts; + while(pEntry != NULL) { +- free(pEntry->pszPort); +- prop.Destruct(&pEntry->pInputName); ++ prop.Destruct(&pEntry->cnf_params->pInputName); ++ free((void*)pEntry->cnf_params->pszPort); ++ free((void*)pEntry->cnf_params->pszAddr); ++ free((void*)pEntry->cnf_params->pszLstnPortFileName); ++ free((void*)pEntry->cnf_params); + ratelimitDestruct(pEntry->ratelimiter); + statsobj.Destruct(&(pEntry->stats)); + pDel = pEntry; +@@ -373,22 +360,21 @@ addTcpLstn(void *pUsr, netstrm_t *pLstn) + + + /* Initialize TCP listener socket for a single port ++ * Note: at this point, TLS vs. non-TLS does not matter; TLS params are ++ * set on connect! + * rgerhards, 2009-05-21 + */ + static rsRetVal + initTCPListener(tcpsrv_t *pThis, tcpLstnPortList_t *pPortEntry) + { + DEFiRet; +- uchar *TCPLstnPort; + + ISOBJ_TYPE_assert(pThis, tcpsrv); + assert(pPortEntry != NULL); + +- TCPLstnPort = pPortEntry->pszPort; +- + // pPortEntry->pszAddr = NULL ==> bind to all interfaces +- CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, TCPLstnPort, +- pPortEntry->pszAddr, pThis->iSessMax, (uchar*)pPortEntry->pszLstnPortFileName)); ++ CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, ++ pThis->iSessMax, pPortEntry->cnf_params)); + + finalize_it: + RETiRet; +@@ -408,11 +394,12 @@ create_tcp_socket(tcpsrv_t *pThis) + /* init all configured ports */ + pEntry = pThis->pLstnPorts; + while(pEntry != NULL) { ++dbgprintf("RGER: configuring listener %p\n", pEntry); + localRet = initTCPListener(pThis, pEntry); + if(localRet != RS_RET_OK) { + LogError(0, localRet, "Could not create tcp listener, ignoring port " +- "%s bind-address %s.", pEntry->pszPort, +- (pEntry->pszAddr == NULL) ? "(null)" : (const char*)pEntry->pszAddr); ++ "%s bind-address %s.", pEntry->cnf_params->pszPort, ++ (pEntry->cnf_params->pszAddr == NULL) ? "(null)" : (const char*)pEntry->cnf_params->pszAddr); + } + pEntry = pEntry->pNext; + } +@@ -1236,15 +1223,6 @@ SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal) + RETiRet; + } + +-static rsRetVal +-SetLstnPortFileName(tcpsrv_t *pThis, uchar *iVal) +-{ +- DEFiRet; +- DBGPRINTF("tcpsrv: LstnPortFileName set to %s\n", +- (iVal == NULL) ? "(null)" : (const char*) iVal); +- pThis->pszLstnPortFileName = iVal; +- RETiRet; +-} + + static rsRetVal + SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int)) +@@ -1309,6 +1287,7 @@ SetDfltTZ(tcpsrv_t *const pThis, uchar *const tz) + { + DEFiRet; + ISOBJ_TYPE_assert(pThis, tcpsrv); ++dbgprintf("dfltTZ prev: %s\n", pThis->dfltTZ); + strncpy((char*)pThis->dfltTZ, (char*)tz, sizeof(pThis->dfltTZ)); + pThis->dfltTZ[sizeof(pThis->dfltTZ)-1] = '\0'; + RETiRet; +@@ -1557,7 +1536,6 @@ CODESTARTobjQueryInterface(tcpsrv) + pIf->SetKeepAliveProbes = SetKeepAliveProbes; + pIf->SetKeepAliveTime = SetKeepAliveTime; + pIf->SetGnutlsPriorityString = SetGnutlsPriorityString; +- pIf->SetLstnPortFileName = SetLstnPortFileName; + pIf->SetUsrP = SetUsrP; + pIf->SetInputName = SetInputName; + pIf->SetOrigin = SetOrigin; +diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h +index db5a1d110a..bae7e3b8b9 100644 +--- a/runtime/tcpsrv.h ++++ b/runtime/tcpsrv.h +@@ -1,6 +1,6 @@ + /* Definitions for tcpsrv class. + * +- * Copyright 2008-2015 Adiscon GmbH. ++ * Copyright 2008-2020 Adiscon GmbH. + * + * This file is part of rsyslog. + * +@@ -23,6 +23,7 @@ + + #include "obj.h" + #include "prop.h" ++#include "net.h" + #include "tcps_sess.h" + #include "statsobj.h" + +@@ -34,19 +35,24 @@ typedef enum ETCPsyslogFramingAnomaly { + } eTCPsyslogFramingAnomaly; + + ++/* config parameters for TCP listeners */ ++struct tcpLstnParams_s { ++ const uchar *pszPort; /**< the ports the listener shall listen on */ ++ const uchar *pszAddr; /**< the addrs the listener shall listen on */ ++ sbool bSuppOctetFram; /**< do we support octect-counted framing? (if no->legay only!)*/ ++ sbool bSPFramingFix; /**< support work-around for broken Cisco ASA framing? */ ++ const uchar *pszLstnPortFileName; /**< File in which the dynamic port is written */ ++ prop_t *pInputName; ++ ruleset_t *pRuleset; /**< associated ruleset */ ++ uchar dfltTZ[8]; /**< default TZ if none in timestamp; '\0' =No Default */ ++}; ++ + /* list of tcp listen ports */ + struct tcpLstnPortList_s { +- uchar *pszPort; /**< the ports the listener shall listen on */ +- uchar *pszAddr; /**< the addrs the listener shall listen on */ +- prop_t *pInputName; ++ tcpLstnParams_t *cnf_params; /**< listener config parameters */ + tcpsrv_t *pSrv; /**< pointer to higher-level server instance */ +- ruleset_t *pRuleset; /**< associated ruleset */ + statsobj_t *stats; /**< associated stats object */ +- sbool bSuppOctetFram; /**< do we support octect-counted framing? (if no->legay only!)*/ + ratelimit_t *ratelimiter; +- uchar dfltTZ[8]; /**< default TZ if none in timestamp; '\0' =No Default */ +- sbool bSPFramingFix; /**< support work-around for broken Cisco ASA framing? */ +- const uchar *pszLstnPortFileName; /**< File in which the dynamic port is written */ + STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit) + tcpLstnPortList_t *pNext; /**< next port or NULL */ + }; +@@ -130,8 +136,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */ + rsRetVal (*Construct)(tcpsrv_t **ppThis); + rsRetVal (*ConstructFinalize)(tcpsrv_t __attribute__((unused)) *pThis); + rsRetVal (*Destruct)(tcpsrv_t **ppThis); +- rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, +- const uchar *pszPort, int bSuppOctetFram, const uchar *pszAddr, const uchar *); ++ rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, tcpLstnParams_t *const cnf_params); + rsRetVal (*create_tcp_socket)(tcpsrv_t *pThis); + rsRetVal (*Run)(tcpsrv_t *pThis); + /* set methods */ +@@ -188,8 +193,6 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */ + rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*); + /* added v21 -- Preserve case in fromhost, 2018-08-16 */ + rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase); +- /* added v22 -- File for dynamic Port, 2018-08-29 */ +- rsRetVal (*SetLstnPortFileName)(tcpsrv_t*, uchar*); + /* added v23 -- Options for stricter driver behavior, 2019-08-16 */ + rsRetVal (*SetDrvrCheckExtendedKeyUsage)(tcpsrv_t *pThis, int ChkExtendedKeyUsage); + rsRetVal (*SetDrvrPrioritizeSAN)(tcpsrv_t *pThis, int prioritizeSan); +diff --git a/runtime/typedefs.h b/runtime/typedefs.h +index 06f5c25a8c..000b4da4fe 100644 +--- a/runtime/typedefs.h ++++ b/runtime/typedefs.h +@@ -123,6 +123,7 @@ typedef int rs_size_t; /* we do never need more than 2Gig strings, signed permit + typedef rsRetVal (*prsf_t)(struct vmstk_s*, int); /* pointer to a RainerScript function */ + typedef uint64 qDeqID; /* queue Dequeue order ID. 32 bits is considered dangerously few */ + ++typedef struct tcpLstnParams_s tcpLstnParams_t; + typedef struct tcpLstnPortList_s tcpLstnPortList_t; // TODO: rename? + typedef struct strmLstnPortList_s strmLstnPortList_t; // TODO: rename? + typedef struct actWrkrIParams actWrkrIParams_t; diff --git a/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch b/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch new file mode 100644 index 0000000..b45f19a --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch @@ -0,0 +1,124 @@ +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index e55b014b2c..431ea738b8 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou + + /* Loop through ERR_get_error */ + while ((un_error = ERR_get_error()) > 0){ +- LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) ); ++ LogMsg(0, RS_RET_NO_ERRCODE, severity, ++ "nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) ); + } + } + +@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert) + if(pThis->bReportAuthErr == 1) { + errno = 0; + LogError(0, RS_RET_INVALID_FINGERPRINT, +- "nsd_ossl:error:" +- " peer fingerprint '%s' unknown - we are " +- "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint)); ++ "nsd_ossl:error: peer fingerprint '%s' unknown - we are " ++ "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint)); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + pThis->bReportAuthErr = 0; + } + ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); +@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert) + cstrFinalize(pStr); + errno = 0; + LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized - " +- "not permitted to talk to it. Names: %s", +- cstrGetSzStrNoNULL(pStr)); ++ "not permitted to talk to it. Names: %s", ++ cstrGetSzStrNoNULL(pStr)); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + pThis->bReportAuthErr = 0; + } + ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); +@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis) + if(pThis->bReportAuthErr == 1) { + errno = 0; + LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, " +- "not permitted to talk to it"); ++ "not permitted to talk to it"); + pThis->bReportAuthErr = 0; ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + } + ABORT_FINALIZE(RS_RET_TLS_NO_CERT); + } +@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis) + if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) { + if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) { + LogError(0, RS_RET_CERT_EXPIRED, +- "nsd_ossl:CertValidity check" +-"- not permitted to talk to peer: certificate expired: %s", ++ "nsd_ossl:CertValidity check - not permitted to talk to peer: " ++ "certificate expired: %s", + X509_verify_cert_error_string(iVerErr)); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + ABORT_FINALIZE(RS_RET_CERT_EXPIRED); + } else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) { + LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING, +- "nsd_ossl:CertValidity check" +-"- warning talking to peer: certificate expired: %s", ++ "nsd_ossl:CertValidity check - warning talking to peer: " ++ "certificate expired: %s", + X509_verify_cert_error_string(iVerErr)); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + } else { + dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n", + X509_verify_cert_error_string(iVerErr)); +@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis) + } else { + LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: " + "certificate validation failed: %s", X509_verify_cert_error_string(iVerErr)); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + ABORT_FINALIZE(RS_RET_CERT_INVALID); + } + } else { +@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd) + #if OPENSSL_VERSION_NUMBER >= 0x10002000L + if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) { + LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:" +-"No shared curve between syslog client and server."); ++ "No shared curve between syslog client and server."); + } + #endif + sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl); +@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd) + resErr == SSL_ERROR_WANT_WRITE) { + pNsd->rtryCall = osslRtry_handshake; + pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/ +- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:" +-"TLS handshake failed between syslog client and server."); + dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete " + "immediately - setting to retry (this is OK and normal)\n"); + FINALIZE; +@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd) + ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/); + } else { + osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client"); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, ++ "nsd_ossl:TLS session terminated with remote syslog server."); + ABORT_FINALIZE(RS_RET_NO_ERRCODE); + } + } +@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device) + conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); + dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn); + +- LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:" +-"TLS Connection initiated with remote syslog server."); ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: " ++ "TLS Connection initiated with remote syslog server."); + /*if we reach this point we are in tls mode */ + DBGPRINTF("Connect: TLS Mode\n"); + if(!(pThis->ssl = SSL_new(ctx))) { diff --git a/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch b/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch new file mode 100644 index 0000000..7b75773 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch @@ -0,0 +1,25 @@ +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 79347916e4..69ec57af09 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -1821,11 +1821,8 @@ BIO_set_nbio( conn, 1 ); + } + + +-/* Empty wrapper for GNUTLS helper function +- * TODO: implement a similar capability +- */ + static rsRetVal +-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString) ++SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString) + { + DEFiRet; + nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd; +@@ -1905,6 +1902,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus + pThis->gnutlsPriorityString); + osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString"); + } ++ SSL_CONF_CTX_free(cctx); + } + #else + dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch b/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch new file mode 100644 index 0000000..07eef68 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch @@ -0,0 +1,11 @@ +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c +--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig 2021-11-22 09:33:25.501668376 +0100 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2021-11-22 09:34:18.423642573 +0100 +@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew + pNew->gnutlsPriorityString = pThis->gnutlsPriorityString; + pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth; + pNew->dataTypeCheck = pThis->dataTypeCheck; ++ pNew->bSANpriority = pThis->bSANpriority; + + /* if we reach this point, we are in TLS mode */ + iRet = gtlsInitSession(pNew); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch b/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch new file mode 100644 index 0000000..1b9fd47 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch @@ -0,0 +1,14 @@ +diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c +--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-28 09:05:23.283262154 +0200 ++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-28 09:10:05.858381106 +0200 +@@ -424,8 +424,8 @@ readjournal(void) + severity = cs.iDfltSeverity; + } + } else { +- LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an " +- "unexpected length: %zu\n", length); ++ DBGPRINTF("The value of the 'PRIORITY' field has an " ++ "unexpected length: %zu value: '%s'\n", length, (const char*)get); + } + } + diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch b/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch new file mode 100644 index 0000000..a847084 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch @@ -0,0 +1,21 @@ +diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c +--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig 2021-06-15 12:46:14.758589030 +0200 ++++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c 2021-06-15 12:47:08.130516632 +0200 +@@ -303,7 +303,7 @@ ENDfreeCnf + BEGINcreateInstance + CODESTARTcreateInstance + pData->sizeWindow = 0; +- pData->timeout = 90; ++ pData->timeout = 5; + pData->connTimeout = 10; + pData->rebindInterval = 0; + pData->bEnableTLS = DFLT_ENABLE_TLS; +@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData + pData->target = NULL; + pData->port = NULL; + pData->tplName = NULL; +- pData->timeout = 90; ++ pData->timeout = 5; + pData->connTimeout = 10; + pData->sizeWindow = 0; + pData->rebindInterval = 0; diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch new file mode 100644 index 0000000..b717972 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch @@ -0,0 +1,47 @@ +diff -up rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc rsyslog-8.2102.0/doc/configuration/modules/imfile.html +--- rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc 2021-02-15 12:53:31.000000000 +0100 ++++ rsyslog-8.2102.0/doc/configuration/modules/imfile.html 2022-03-29 10:35:07.187827004 +0200 +@@ -294,6 +294,28 @@ rsyslog needs write permissions to work + also might require SELinux definitions (or similar for other enhanced security + systems).

+ ++
++

deleteStateOnFileMove

++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++
typedefaultmandatoryobsolete legacy directive
binaryoffnonone
++

This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.

++ ++

However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.

++
+ +
+

Input Parameters

+@@ -1214,6 +1236,7 @@ and Others.

+
  • sortFiles
    • +
  • PollingInterval
    • +
  • statefile.directory
    • ++
  • deleteStateOnFileMove
    • + + +
  • Input Parameters
      +@@ -1311,4 +1334,4 @@ and Others.

      + + +- +\ No newline at end of file ++ diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch new file mode 100644 index 0000000..161f90c --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch @@ -0,0 +1,162 @@ +diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c +--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking 2021-01-18 11:21:14.000000000 +0100 ++++ rsyslog-8.2102.0/plugins/imfile/imfile.c 2022-03-28 12:51:03.572554843 +0200 +@@ -259,6 +259,7 @@ struct modConfData_s { + Must be manually reset to 0 if desired. Helper for + polling mode. + */ ++ sbool deleteStateOnFileMove; + }; + static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */ + static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */ +@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[] + { "sortfiles", eCmdHdlrBinary, 0 }, + { "statefile.directory", eCmdHdlrString, 0 }, + { "normalizepath", eCmdHdlrBinary, 0 }, +- { "mode", eCmdHdlrGetWord, 0 } ++ { "mode", eCmdHdlrGetWord, 0 }, ++ { "deletestateonfilemove", eCmdHdlrBinary, 0 } + }; + static struct cnfparamblk modpblk = + { CNFPARAMBLK_VERSION, +@@ -545,11 +547,20 @@ static int + in_setupWatch(act_obj_t *const act, const int is_file) + { + int wd = -1; ++ int flags; + if(runModConf->opMode != OPMODE_INOTIFY) + goto done; + +- wd = inotify_add_watch(ino_fd, act->name, +- (is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO); ++ // wd = inotify_add_watch(ino_fd, act->name, ++ // (is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO); ++ if(is_file) ++ flags = IN_MODIFY|IN_DONT_FOLLOW; ++ else if(runModConf->deleteStateOnFileMove) ++ flags = IN_CREATE|IN_DELETE|IN_MOVED_TO; ++ else ++ flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO; ++ wd = inotify_add_watch(ino_fd, act->name, flags); ++ + if(wd < 0) { + if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */ + DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name); +@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const + char basename[MAXFNAME]; + DEFiRet; + int fd = -1; +- ++ + DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---"); + for(act = edge->active ; act != NULL ; act = act->next) { + if(!strcmp(act->name, name)) { +@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co + if(act == NULL) + return; + +- DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", +- act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted, +- act->in_move); ++ // DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", ++ // act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted, ++ // act->in_move); ++ if (runModConf->deleteStateOnFileMove) { ++ DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n", ++ act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted); ++ } else { ++ DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n", ++ act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, ++ is_deleted, act->in_move); ++ } ++ + if(act->is_symlink && is_deleted) { + act_obj_t *target_act; + for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) { +@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co + pollFile(act); /* get any left-over data */ + if(inst->bRMStateOnDel) { + statefn = getStateFileName(act, statefile, sizeof(statefile)); +- getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check! ++ // getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check! ++ getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check! + statefn = toDel; + } + persistStrmState(act); + strm.Destruct(&act->pStrm); + /* we delete state file after destruct in case strm obj initiated a write */ +- if(is_deleted && !act->in_move && inst->bRMStateOnDel) { ++ // if(is_deleted && !act->in_move && inst->bRMStateOnDel) { ++ if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) { + DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn); + unlink((char*)statefn); + } +@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co + } + #ifdef HAVE_INOTIFY_INIT + if(act->wd != -1) { ++ inotify_rm_watch(ino_fd, act->wd); + wdmapDel(act->wd); + } + #endif +@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad + loadModConf->timeoutGranularity = 1000; /* default: 1 second */ + loadModConf->haveReadTimeouts = 0; /* default: no timeout */ + loadModConf->normalizePath = 1; ++ loadModConf->deleteStateOnFileMove = 0; + loadModConf->sortFiles = GLOB_NOSORT; + loadModConf->stateFileDirectory = NULL; + loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1); +@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf + loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(modpblk.descr[i].name, "normalizepath")) { + loadModConf->normalizePath = (sbool) pvals[i].val.d.n; ++ } else if(!strcmp(modpblk.descr[i].name, "deletestateonfilemove")) { ++ loadModConf->deleteStateOnFileMove = (sbool) pvals[i].val.d.n; + } else if(!strcmp(modpblk.descr[i].name, "mode")) { + if(!es_strconstcmp(pvals[i].val.d.estr, "polling")) + loadModConf->opMode = OPMODE_POLLING; +@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev + DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n", + ev->mask, etry->act->edge->is_file, etry->act->name); + +- if((ev->mask & IN_MOVED_FROM)) { +- flag_in_move(etry->act->edge->node->edges, ev->name); +- } +- if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { +- fs_node_walk(etry->act->edge->node, poll_tree); +- } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { +- in_handleFileEvent(ev, etry); // esentially poll_file()! ++ // if((ev->mask & IN_MOVED_FROM)) { ++ // flag_in_move(etry->act->edge->node->edges, ev->name); ++ // } ++ // if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { ++ // fs_node_walk(etry->act->edge->node, poll_tree); ++ // } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ // in_handleFileEvent(ev, etry); // esentially poll_file()! ++ // } else { ++ // fs_node_walk(etry->act->edge->node, poll_tree); ++ // } ++ if(!runModConf->deleteStateOnFileMove) { ++ if((ev->mask & IN_MOVED_FROM)) { ++ flag_in_move(etry->act->edge->node->edges, ev->name); ++ } ++ if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO)) { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ in_handleFileEvent(ev, etry); // esentially poll_file()! ++ } else { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } + } else { +- fs_node_walk(etry->act->edge->node, poll_tree); ++ if((ev->mask & IN_MODIFY) && etry->act->edge->is_file && !(etry->act->is_symlink)) { ++ in_handleFileEvent(ev, etry); // esentially poll_file()! ++ } else { ++ fs_node_walk(etry->act->edge->node, poll_tree); ++ } + } ++ + done: return; + } + diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch b/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch new file mode 100644 index 0000000..f95dd5a --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch @@ -0,0 +1,20 @@ +diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c +--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-15 12:30:35.238832058 +0200 ++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-15 12:32:04.699721356 +0200 +@@ -565,6 +565,8 @@ persistJournalState(void) + ABORT_FINALIZE(RS_RET_IO_ERROR); + } + ++ fflush(sf); ++ + /* change the name of the file to the configured one */ + if (rename(tmp_sf, cs.stateFile) < 0) { + LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile); +@@ -586,6 +588,7 @@ persistJournalState(void) + LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir()); + ABORT_FINALIZE(RS_RET_IO_ERROR); + } ++ closedir(wd); + } + + DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch b/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch new file mode 100644 index 0000000..912a8b1 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch @@ -0,0 +1,190 @@ +--- rsyslog-8.2102.0/action.c 2021-02-15 12:06:16.000000000 +0100 ++++ rsyslog-8.2102.0-changes/action.c 2022-03-08 15:55:33.989525382 +0100 +@@ -198,6 +198,7 @@ + { "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */ + { "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */ + { "action.errorfile", eCmdHdlrString, 0 }, ++ { "action.errorfile.maxsize", eCmdHdlrInt, 0 }, + { "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */ + { "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */ + { "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */ +@@ -400,6 +401,8 @@ + pThis->iResumeRetryCount = 0; + pThis->pszName = NULL; + pThis->pszErrFile = NULL; ++ pThis->maxErrFileSize = 0; ++ pThis->errFileWritten = 0; + pThis->pszExternalStateFile = NULL; + pThis->fdErrFile = -1; + pThis->bWriteAllMarkMsgs = 1; +@@ -1436,6 +1439,12 @@ + pThis->pszName, pThis->pszErrFile); + goto done; + } ++ struct stat statbuf; ++ if (fstat(pThis->fdErrFile, &statbuf) == -1) { ++ LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile); ++ goto done; ++ } ++ pThis->errFileWritten += statbuf.st_size; + } + + for(int i = 0 ; i < nparams ; ++i) { +@@ -1454,16 +1463,26 @@ + char *const rendered = strdup((char*)fjson_object_to_json_string(etry)); + if(rendered == NULL) + goto done; +- const size_t toWrite = strlen(rendered) + 1; +- /* note: we use the '\0' inside the string to store a LF - we do not +- * otherwise need it and it safes us a copy/realloc. +- */ +- rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */ +- const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite); +- if(wrRet != (ssize_t) toWrite) { +- LogError(errno, RS_RET_IO_ERROR, +- "action %s: error writing errorFile %s, write returned %lld", +- pThis->pszName, pThis->pszErrFile, (long long) wrRet); ++ size_t toWrite = strlen(rendered) + 1; ++ // Check if need to truncate the amount of bytes to write ++ if (pThis->maxErrFileSize > 0) { ++ if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) { ++ // Truncate to the pending available ++ toWrite = pThis->maxErrFileSize - pThis->errFileWritten; ++ } ++ pThis->errFileWritten += toWrite; ++ } ++ if(toWrite > 0) { ++ /* note: we use the '\0' inside the string to store a LF - we do not ++ * otherwise need it and it safes us a copy/realloc. ++ */ ++ rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */ ++ const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite); ++ if(wrRet != (ssize_t) toWrite) { ++ LogError(errno, RS_RET_IO_ERROR, ++ "action %s: error writing errorFile %s, write returned %lld", ++ pThis->pszName, pThis->pszErrFile, (long long) wrRet); ++ } + } + free(rendered); + +@@ -2048,6 +2067,8 @@ + continue; /* this is handled seperately during module select! */ + } else if(!strcmp(pblk.descr[i].name, "action.errorfile")) { + pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL); ++ } else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) { ++ pAction->maxErrFileSize = pvals[i].val.d.n; + } else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) { + pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL); + } else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) { +--- rsyslog-8.2102.0-ori/action.h 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0-changes/action.h 2022-03-04 11:36:47.024588972 +0100 +@@ -77,6 +77,8 @@ + /* error file */ + const char *pszErrFile; + int fdErrFile; ++ size_t maxErrFileSize; ++ size_t errFileWritten; + pthread_mutex_t mutErrFile; + /* external stat file system */ + const char *pszExternalStateFile; +--- rsyslog-8.2102.0-ori/tests/Makefile.am 2021-02-15 12:06:16.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/Makefile.am 2022-03-04 11:38:01.625095709 +0100 +@@ -695,7 +695,8 @@ + mysql-actq-mt.sh \ + mysql-actq-mt-withpause.sh \ + action-tx-single-processing.sh \ +- action-tx-errfile.sh ++ action-tx-errfile.sh \ ++ action-tx-errfile-maxsize.sh + + mysql-basic.log: mysqld-start.log + mysql-basic-cnf6.log: mysqld-start.log +@@ -2156,6 +2157,8 @@ + sndrcv_omudpspoof_nonstdpt.sh \ + sndrcv_gzip.sh \ + action-tx-single-processing.sh \ ++ omfwd-errfile-maxsize.sh \ ++ action-tx-errfile-maxsize.sh \ + action-tx-errfile.sh \ + testsuites/action-tx-errfile.result \ + pipeaction.sh \ +--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh 2022-03-04 11:39:02.060506234 +0100 +@@ -0,0 +1,17 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++ ++export MAX_ERROR_SIZE=1999 ++ ++generate_conf ++add_conf ' ++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist" ++ action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++' ++startup ++shutdown_when_empty ++wait_shutdown ++check_file_exists ${RSYSLOG2_OUT_LOG} ++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE} ++exit_test +--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh 2022-03-04 11:59:22.592796989 +0100 +@@ -0,0 +1,35 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++ ++. ${srcdir:=.}/diag.sh init ++ ++export NUMMESSAGES=50 # enough to generate big file ++export MAX_ERROR_SIZE=100 ++ ++generate_conf ++add_conf ' ++$ModLoad ../plugins/ommysql/.libs/ommysql ++global(errormessagestostderr.maxnumber="5") ++ ++template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on") ++ ++if((not($msg contains "error")) and ($msg contains "msgnum:")) then { ++ set $.num = field($msg, 58, 2); ++ if $.num % 2 == 0 then { ++ set $!facility = $syslogfacility; ++ } else { ++ set $/cntr = 0; ++ } ++ action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl" ++ db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++} ++' ++mysql_prep_for_test ++startup ++injectmsg ++shutdown_when_empty ++wait_shutdown ++mysql_get_data ++check_file_exists ${RSYSLOG2_OUT_LOG} ++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE} ++exit_test +--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh 1970-01-01 01:00:00.000000000 +0100 ++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh 2022-03-08 16:24:01.174365289 +0100 +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# part of the rsyslog project, released under ASL 2.0 ++. ${srcdir:=.}/diag.sh init ++ERRFILE=$(mktemp) ++export MAX_ERROR_SIZE=1999 ++export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100)) ++dd if=/dev/urandom of=${ERRFILE} bs=1 count=${INITIAL_FILE_SIZE} ++generate_conf ++add_conf ' ++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist" ++ action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'") ++' ++startup ++shutdown_when_empty ++wait_shutdown ++check_file_exists ${ERRFILE} ++file_size_check ${ERRFILE} ${MAX_ERROR_SIZE} ++exit_test ++rm ${ERRFILE} diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch b/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch new file mode 100644 index 0000000..344eef6 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch @@ -0,0 +1,102 @@ +diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c +--- rsyslog-8.2102.0/runtime/cfsysline.c.orig 2021-08-04 07:16:02.663163106 +0200 ++++ rsyslog-8.2102.0/runtime/cfsysline.c 2021-08-04 07:18:05.952490008 +0200 +@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR + assert(*pp != NULL); + + if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "could not extract group name: %s\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "could not extract group name"); +- ABORT_FINALIZE(RS_RET_NOT_FOUND); +- } ++ LogError(0, RS_RET_NOT_FOUND, "could not extract group name"); ++ ABORT_FINALIZE(RS_RET_NOT_FOUND); + } + + do { +@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR + LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName); + } + iRet = RS_RET_NOT_FOUND; +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "ID for group '%s' could not be found or error\n", szName); +- exit(1); /* good exit */ +- } + } else { + if(pSetHdlr == NULL) { + /* we should set value directly to var */ +@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR + assert(*pp != NULL); + + if(getSubString(pp, (char*) szName, sizeof(szName), ' ') != 0) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "could not extract user name: %s\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "could not extract user name"); +- ABORT_FINALIZE(RS_RET_NOT_FOUND); +- } ++ LogError(0, RS_RET_NOT_FOUND, "could not extract user name"); ++ ABORT_FINALIZE(RS_RET_NOT_FOUND); + } + + getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf); + + if(ppwBuf == NULL) { +- if(loadConf->globals.abortOnIDResolutionFail) { +- fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName); +- exit(1); /* good exit */ +- } else { +- LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName); +- iRet = RS_RET_NOT_FOUND; +- } ++ LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName); ++ iRet = RS_RET_NOT_FOUND; + } else { + if(pSetHdlr == NULL) { + /* we should set value directly to var */ +diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c +--- rsyslog-8.2102.0/runtime/glbl.c.orig 2021-08-04 07:18:19.301633677 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.c 2021-08-04 07:19:02.409019106 +0200 +@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc + { "environment", eCmdHdlrArray, 0 }, + { "processinternalmessages", eCmdHdlrBinary, 0 }, + { "umask", eCmdHdlrFileCreateMode, 0 }, +- { "security.abortonidresolutionfail", eCmdHdlrBinary, 0 }, + { "internal.developeronly.options", eCmdHdlrInt, 0 }, + { "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 }, + { "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 }, +@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void) + glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) { + loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n; +- } else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) { +- loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) { + *(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) { +diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c +--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2021-08-04 07:19:13.103104854 +0200 ++++ rsyslog-8.2102.0/runtime/rsconf.c 2021-08-04 07:19:44.635357684 +0200 +@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh + pThis->globals.maxErrMsgToStderr = -1; + pThis->globals.umask = -1; + pThis->globals.gidDropPrivKeepSupplemental = 0; +- pThis->globals.abortOnIDResolutionFail = 1; + pThis->templates.root = NULL; + pThis->templates.last = NULL; + pThis->templates.lastStatic = NULL; +diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h +--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2021-08-04 07:20:15.848607958 +0200 ++++ rsyslog-8.2102.0/runtime/rsconf.h 2021-08-04 07:20:42.782823920 +0200 +@@ -73,7 +73,6 @@ struct globals_s { + int uidDropPriv; /* user-id to which priveleges should be dropped to */ + int gidDropPriv; /* group-id to which priveleges should be dropped to */ + int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */ +- int abortOnIDResolutionFail; + int umask; /* umask to use */ + uchar *pszConfDAGFile; /* name of config DAG file, non-NULL means generate one */ + diff --git a/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch b/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch new file mode 100644 index 0000000..710f48c --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch @@ -0,0 +1,26 @@ +diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c +--- rsyslog-8.2102.0/runtime/ratelimit.c.orig 2021-07-27 10:37:50.972903104 +0200 ++++ rsyslog-8.2102.0/runtime/ratelimit.c 2021-07-27 10:38:26.141002988 +0200 +@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c + { + DEFiRet; + rsRetVal localRet; +- int severity = 0; + + *ppRepMsg = NULL; + +@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c + DBGPRINTF("Message discarded, parsing error %d\n", localRet); + ABORT_FINALIZE(RS_RET_DISCARDMSG); + } +- severity = pMsg->iSeverity; + } + } + + /* Only the messages having severity level at or below the + * treshold (the value is >=) are subject to ratelimiting. */ +- if(ratelimit->interval && (severity >= ratelimit->severity)) { ++ if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) { + char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */ + snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg), + getAPPNAME(pMsg, 0)); diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch b/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch new file mode 100644 index 0000000..e98ead2 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch @@ -0,0 +1,354 @@ +diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c +--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2022-04-15 13:42:05.320615894 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-04-15 14:33:43.472482696 +0200 +@@ -609,10 +609,10 @@ finalize_it: + } + + static rsRetVal +-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */ ++osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */ + { + DEFiRet; +- BIO *client; ++ BIO *conn; + char pristringBuf[4096]; + nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp; + +@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* , + if (pThis->DrvrVerifyDepth != 0) { + SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth); + } +- } +- +- if (bAnonInit == 1) { /* no mutex needed, read-only after init */ +- /* Allow ANON Ciphers */ ++ } else if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) { ++ /* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */ + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + /* NOTE: do never use: +eNULL, it DISABLES encryption! */ + strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", +@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* , + } + } + +- /* Create BIO from ptcp socket! */ +- client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); +- dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client); + +- /* Set debug Callback for client BIO as well! */ +- BIO_set_callback(client, BIO_debug_callback); ++ /* Create BIO from ptcp socket! */ ++ conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); ++ dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn); + +-/* TODO: still needed? Set to NON blocking ! */ +-BIO_set_nbio( client, 1 ); ++ /* Set debug Callback for conn BIO as well! */ ++ BIO_set_callback(conn, BIO_debug_callback); + +- SSL_set_bio(pThis->ssl, client, client); +- SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */ ++ /* TODO: still needed? Set to NON blocking ! */ ++ BIO_set_nbio( conn, 1 ); ++ SSL_set_bio(pThis->ssl, conn, conn); + ++ if (osslType == osslServer) { ++ /* Server Socket */ ++ SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */ ++ pThis->sslState = osslServer; /*set Server state */ ++ } else { ++ /* Client Socket */ ++ SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/ ++ pThis->sslState = osslClient; /*set Client state */ ++ } + pThis->bHaveSess = 1; +- pThis->sslState = osslServer; /*set Server state */ + + /* we are done */ + FINALIZE; +@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co + ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); + } + +- /* Init Anon OpenSSL stuff */ +- CHKiRet(osslAnonInit()); ++ /* Init Anon OpenSSL stuff */ ++ CHKiRet(osslAnonInit()); + + dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode); + +@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd) + + #if OPENSSL_VERSION_NUMBER >= 0x10002000L + if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) { +- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:" +- "No shared curve between syslog client and server."); ++ // This is not a failure ++ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: " ++ "Information, no shared curve between syslog client and server"); + } + #endif + sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl); +@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew + pNew->permitExpiredCerts = pThis->permitExpiredCerts; + pNew->pPermPeers = pThis->pPermPeers; + pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth; +- CHKiRet(osslInitSession(pNew)); ++ CHKiRet(osslInitSession(pNew, osslServer)); + + /* Store nsd_ossl_t* reference in SSL obj */ + SSL_set_ex_data(pNew->ssl, 0, pThis); +@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar * + DEFiRet; + DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device); + nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd; +- nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp; +- BIO *conn; +- char pristringBuf[4096]; + + ISOBJ_TYPE_assert(pThis, nsd_ossl); + assert(port != NULL); +@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar * + FINALIZE; + } + +- /* Create BIO from ptcp socket! */ +- conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); +- dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn); +- + LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: " + "TLS Connection initiated with remote syslog server."); + /*if we reach this point we are in tls mode */ + DBGPRINTF("Connect: TLS Mode\n"); +- if(!(pThis->ssl = SSL_new(ctx))) { +- pThis->ssl = NULL; +- osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect"); +- ABORT_FINALIZE(RS_RET_NO_ERRCODE); +- } + +- // Set SSL_MODE_AUTO_RETRY to SSL obj +- SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY); +- +- if (pThis->authMode != OSSL_AUTH_CERTANON) { +- dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n", +- pThis->authMode, pThis->DrvrVerifyDepth); +- /* Enable certificate valid checking */ +- SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); +- if (pThis->DrvrVerifyDepth != 0) { +- SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth); +- } +- } +- +- if (bAnonInit == 1) { /* no mutex needed, read-only after init */ +- /* Allow ANON Ciphers */ +- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +- /* NOTE: do never use: +eNULL, it DISABLES encryption! */ +- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", +- sizeof(pristringBuf)); +- #else +- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL", +- sizeof(pristringBuf)); +- #endif +- +- dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf); +- if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){ +- dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf); +- ABORT_FINALIZE(RS_RET_SYS_ERR); +- } +- } +- +- /* Set debug Callback for client BIO as well! */ +- BIO_set_callback(conn, BIO_debug_callback); +- +-/* TODO: still needed? Set to NON blocking ! */ +-BIO_set_nbio( conn, 1 ); +- +- SSL_set_bio(pThis->ssl, conn, conn); +- SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/ +- pThis->sslState = osslClient; /*set Client state */ +- pThis->bHaveSess = 1; ++ /* Do SSL Session init */ ++ CHKiRet(osslInitSession(pThis, osslClient)); + + /* Store nsd_ossl_t* reference in SSL obj */ + SSL_set_ex_data(pThis->ssl, 0, pThis); +@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs + nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd; + ISOBJ_TYPE_assert(pThis, nsd_ossl); + +- pThis->gnutlsPriorityString = gnutlsPriorityString; ++ dbgprintf("gnutlsPriorityString: set to '%s'\n", ++ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL")); + + /* Skip function if function is NULL gnutlsPriorityString */ +- if (gnutlsPriorityString == NULL) { +- RETiRet; +- } else { +- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); + #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) +- char *pCurrentPos; +- char *pNextPos; +- char *pszCmd; +- char *pszValue; +- int iConfErr; +- +- /* Set working pointer */ +- pCurrentPos = (char*) pThis->gnutlsPriorityString; +- if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) { +- // Create CTX Config Helper +- SSL_CONF_CTX *cctx; +- cctx = SSL_CONF_CTX_new(); +- if (pThis->sslState == osslServer) { +- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); +- } else { +- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); +- } +- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); +- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); +- SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); +- +- do +- { +- pNextPos = index(pCurrentPos, '='); +- if (pNextPos != NULL) { +- while ( *pCurrentPos != '\0' && +- (*pCurrentPos == ' ' || *pCurrentPos == '\t') ) +- pCurrentPos++; +- pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos); +- pCurrentPos = pNextPos+1; +- pNextPos = index(pCurrentPos, '\n'); +- pszValue = (pNextPos == NULL ? +- strdup(pCurrentPos) : +- strndup(pCurrentPos, pNextPos - pCurrentPos)); +- pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1); +- +- /* Add SSL Conf Command */ +- iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue); +- if (iConfErr > 0) { +- dbgprintf("gnutlsPriorityString: Successfully added Command " +- "'%s':'%s'\n", +- pszCmd, pszValue); +- } +- else { +- LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' " +- "in gnutlsPriorityString with error '%d'", +- pszCmd, pszValue, iConfErr); +- } ++ sbool ApplySettings = 0; ++ if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) || ++ (gnutlsPriorityString != NULL && ++ strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0) ++ ) { ++ ApplySettings = 1; ++ } ++ ++ pThis->gnutlsPriorityString = gnutlsPriorityString; ++ dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n", ++ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"), ++ (ApplySettings == 1? "TRUE" : "FALSE")); + +- free(pszCmd); +- free(pszValue); ++ if (ApplySettings) { ++ ++ if (gnutlsPriorityString == NULL || ctx == NULL) { ++ RETiRet; ++ } else { ++ dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); ++ char *pCurrentPos; ++ char *pNextPos; ++ char *pszCmd; ++ char *pszValue; ++ int iConfErr; ++ ++ /* Set working pointer */ ++ pCurrentPos = (char*) pThis->gnutlsPriorityString; ++ if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) { ++ // Create CTX Config Helper ++ SSL_CONF_CTX *cctx; ++ cctx = SSL_CONF_CTX_new(); ++ if (pThis->sslState == osslServer) { ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + } else { +- /* Abort further parsing */ +- pCurrentPos = NULL; ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + } +- } +- while (pCurrentPos != NULL); ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); ++ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); ++ ++ do ++ { ++ pNextPos = index(pCurrentPos, '='); ++ if (pNextPos != NULL) { ++ while ( *pCurrentPos != '\0' && ++ (*pCurrentPos == ' ' || *pCurrentPos == '\t') ) ++ pCurrentPos++; ++ pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos); ++ pCurrentPos = pNextPos+1; ++ pNextPos = index(pCurrentPos, '\n'); ++ pszValue = (pNextPos == NULL ? ++ strdup(pCurrentPos) : ++ strndup(pCurrentPos, pNextPos - pCurrentPos)); ++ pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1); ++ ++ /* Add SSL Conf Command */ ++ iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue); ++ if (iConfErr > 0) { ++ dbgprintf("gnutlsPriorityString: Successfully added Command " ++ "'%s':'%s'\n", ++ pszCmd, pszValue); ++ } ++ else { ++ LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' " ++ "in gnutlsPriorityString with error '%d'", ++ pszCmd, pszValue, iConfErr); ++ } ++ ++ free(pszCmd); ++ free(pszValue); ++ } else { ++ /* Abort further parsing */ ++ pCurrentPos = NULL; ++ } ++ } ++ while (pCurrentPos != NULL); + +- /* Finalize SSL Conf */ +- iConfErr = SSL_CONF_CTX_finish(cctx); +- if (!iConfErr) { +- LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s" +- "Open ssl error info may follow in next messages", +- pThis->gnutlsPriorityString); +- osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString"); ++ /* Finalize SSL Conf */ ++ iConfErr = SSL_CONF_CTX_finish(cctx); ++ if (!iConfErr) { ++ LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s" ++ "Open ssl error info may follow in next messages", ++ pThis->gnutlsPriorityString); ++ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString"); ++ } ++ SSL_CONF_CTX_free(cctx); + } +- SSL_CONF_CTX_free(cctx); + } ++ } + #else +- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); +- LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API" +- "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: " +- "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring", +- gnutlsPriorityString); ++ LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API" ++ "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: " ++ "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring", ++ gnutlsPriorityString); + #endif +- } + + RETiRet; + } diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch b/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch new file mode 100644 index 0000000..0c3a3a7 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch @@ -0,0 +1,215 @@ +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c +--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig 2022-04-11 09:26:17.826271989 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2022-04-11 09:33:28.702012052 +0200 +@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis) + DEFiRet; + + ISOBJ_TYPE_assert(pThis, nsd_gtls); +- DBGPRINTF("gtlsRecordRecv: start\n"); ++ DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n", ++ gnutls_record_check_pending(pThis->sess), ++ (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") ); + + lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF); + if(lenRcvd >= 0) { +@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis) + (NSD_GTLS_MAX_RCVBUF+lenRcvd)); + pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd; + } else { +- goto sslerr; ++ if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) { ++ goto sslerragain; /* Go to ERR AGAIN handling */ ++ } else { ++ /* Do all other error handling */ ++ int gnuRet = lenRcvd; ++ ABORTgnutls; ++ } + } + } + } else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) { +-sslerr: +- pThis->rtryCall = gtlsRtry_recv; +- dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n"); +- ABORT_FINALIZE(RS_RET_RETRY); ++sslerragain: ++ /* Check if the underlaying file descriptor needs to read or write data!*/ ++ if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) { ++ pThis->rtryCall = gtlsRtry_recv; ++ dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n"); ++ ABORT_FINALIZE(RS_RET_RETRY); ++ } else { ++ uchar *pErr = gtlsStrerror(lenRcvd); ++ LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) " ++ "- this could be caused by a broken connection. GnuTLS reports: %s\n", ++ lenRcvd, pErr); ++ free(pErr); ++ ABORT_FINALIZE(RS_RET_GNUTLS_ERR); ++ } + } else { + int gnuRet = lenRcvd; + ABORTgnutls; +@@ -1978,6 +1996,7 @@ static rsRetVal + Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) + { + int iSent; ++ int wantsWriteData = 0; + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + DEFiRet; + ISOBJ_TYPE_assert(pThis, nsd_gtls); +@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t * + break; + } + if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) { ++ /* Check if the underlaying file descriptor needs to read or write data!*/ ++ wantsWriteData = gnutls_record_get_direction(pThis->sess); + uchar *pErr = gtlsStrerror(iSent); +- LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this " +- "could be caused by a broken connection. GnuTLS reports: %s \n", +- iSent, pErr); ++ LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this " ++ "could be caused by a broken connection. GnuTLS reports: %s\n", ++ iSent, wantsWriteData, pErr); + free(pErr); + gnutls_perror(iSent); + ABORT_FINALIZE(RS_RET_GNUTLS_ERR); +diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h +--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig 2022-04-11 09:26:32.744262781 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_gtls.h 2022-04-11 09:34:29.909982895 +0200 +@@ -33,6 +33,11 @@ typedef enum { + gtlsRtry_recv = 2 + } gtlsRtryCall_t; /**< IDs of calls that needs to be retried */ + ++typedef enum { ++ gtlsDir_READ = 0, /**< GNUTLS wants READ */ ++ gtlsDir_WRITE = 1 /**< GNUTLS wants WRITE */ ++} gtlsDirection_t; ++ + typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */ + + /* the nsd_gtls object */ +diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c +--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig 2022-04-11 09:26:42.529256742 +0200 ++++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c 2022-04-11 09:38:27.425869737 +0200 +@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds + + ISOBJ_TYPE_assert(pThis, nsdsel_gtls); + ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls); ++ DBGPRINTF("Add on nsd %p:\n", pNsdGTLS); + if(pNsdGTLS->iMode == 1) { + if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) { + ++pThis->iBufferRcvReady; +@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds + } + } + ++ dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp); ++ + /* if we reach this point, we need no special handling */ + CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp)); + +@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead + if(pThis->iBufferRcvReady > 0) { + /* we still have data ready! */ + *piNumReady = pThis->iBufferRcvReady; +- dbgprintf("nsdsel_gtls: doing dummy select, data present\n"); ++ dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n", ++ pThis, pThis->iBufferRcvReady); + } else { + iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady); + } +@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd) + DEFiRet; + int gnuRet; + +- dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall); ++ dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall); + + /* We follow a common scheme here: first, we do the systen call and + * then we check the result. So far, the result is checked after the +@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd) + case gtlsRtry_handshake: + gnuRet = gnutls_handshake(pNsd->sess); + if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) { +- dbgprintf("GnuTLS handshake retry did not finish - " ++ dbgprintf("doRetry: GnuTLS handshake retry did not finish - " + "setting to retry (this is OK and can happen)\n"); + FINALIZE; + } else if(gnuRet == 0) { +@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd) + } + break; + case gtlsRtry_recv: +- dbgprintf("retrying gtls recv, nsd: %p\n", pNsd); +- CHKiRet(gtlsRecordRecv(pNsd)); +- pNsd->rtryCall = gtlsRtry_None; /* we are done */ ++ dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd); ++ iRet = gtlsRecordRecv(pNsd); ++ if (iRet == RS_RET_RETRY) { ++ // Check if there is pending data ++ size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess); ++ if (stBytesLeft > 0) { ++ // We are in retry and more data waiting, finalize it ++ goto finalize_it; ++ } else { ++ dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending" ++ "data on nsd: %p\n", pNsd); ++ } ++ } ++ pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */ + gnuRet = 0; + break; + case gtlsRtry_None: +@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd, + * socket. -- rgerhards, 2010-11-20 + */ + if(pThis->iBufferRcvReady) { +- dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n"); ++ dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis); + *pbIsReady = 0; + FINALIZE; + } +diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c +--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig 2022-04-11 09:27:00.376245726 +0200 ++++ rsyslog-8.2102.0/runtime/tcpsrv.c 2022-04-11 09:41:57.885777708 +0200 +@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t * + int oserr = 0; + + ISOBJ_TYPE_assert(pThis, tcpsrv); +- DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm); ++ prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer); + /* Receive message */ + iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr); + switch(iRet) { + case RS_RET_CLOSED: + if(pThis->bEmitMsgOnClose) { + errno = 0; +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote " + "peer %s.\n", (*ppSess)->pStrm, pszPeer); + } +@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t * + /* in this case, something went awfully wrong. + * We are instructed to terminate the session. + */ +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer); + CHKiRet(closeSess(pThis, ppSess, pPoll)); + } + break; + default: +- prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); ++ // prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer); + LogError(oserr, iRet, "netstream session %p from %s will be closed due to error", + (*ppSess)->pStrm, pszPeer); + CHKiRet(closeSess(pThis, ppSess, pPoll)); +@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset + while(iTCPSess != -1) { + /* TODO: access to pNsd is NOT really CLEAN, use method... */ + CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD)); ++ DBGPRINTF("tcpsrv process session %d:\n", iTCPSess); + /* now get next... */ + iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess); + } diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch new file mode 100644 index 0000000..886e174 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch @@ -0,0 +1,23 @@ +--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html 2021-02-15 12:53:30.000000000 +0100 ++++ rsyslog-8.2102.0/doc/configuration/global/index.html 2022-09-07 13:32:10.426621438 +0200 +@@ -119,6 +119,13 @@ + network stream driver to use. + Defaults to ptcp.

      + ++

    • $NetstreamDriverCAExtraFiles </path/to/extracafile.pem> - ++This directive allows to configure multiple additional extra CA files. ++This is intended for SSL certificate chains to work appropriately, ++as the different CA files in the chain need to be specified. ++It must be remarked that this directive only works with the OpenSSL driver. ++

      ++
      • +

    • $DefaultNetstreamDriverCAFile </path/to/cafile.pem>

      +
      • +

    • $DefaultNetstreamDriverCertFile </path/to/certfile.pem>

      +@@ -311,4 +318,4 @@ + + +- +\ No newline at end of file ++ diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch new file mode 100644 index 0000000..2308b7f --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch @@ -0,0 +1,134 @@ +--- rsyslog-8.2102.0.ori/runtime/glbl.h 2020-10-03 19:06:47.000000000 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.h 2022-09-07 13:32:51.623799582 +0200 +@@ -72,6 +72,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF, uchar*) + SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*) + SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*) + SIMP_PROP(ParserControlCharacterEscapePrefix, uchar) + SIMP_PROP(ParserDropTrailingLFOnReception, int) + SIMP_PROP(ParserEscapeControlCharactersOnReceive, int) +--- rsyslog-8.2102.0.ori/runtime/glbl.c 2022-09-07 13:17:02.669696053 +0200 ++++ rsyslog-8.2102.0/runtime/glbl.c 2022-09-07 13:56:37.678966129 +0200 +@@ -122,6 +122,7 @@ + static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */ + static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */ + static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */ ++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */ + int bTerminateInputs = 0; /* global switch that inputs shall terminate ASAP (1=> terminate) */ + static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */ + static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */ +@@ -176,6 +177,7 @@ + { "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 }, + { "defaultnetstreamdriver", eCmdHdlrString, 0 }, ++ { "netstreamdrivercaextrafiles", eCmdHdlrString, 0 }, + { "maxmessagesize", eCmdHdlrSize, 0 }, + { "oversizemsg.errorfile", eCmdHdlrGetWord, 0 }, + { "oversizemsg.report", eCmdHdlrBinary, 0 }, +@@ -307,6 +309,8 @@ + /* TODO: use custom function which frees existing value */ + SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*) + /* TODO: use custom function which frees existing value */ ++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*) ++/* TODO: use custom function which frees existing value */ + + #undef SIMP_PROP + #undef SIMP_PROP_SET +@@ -838,6 +842,12 @@ + return(pszDfltNetstrmDrvrCAF); + } + ++/* return the extra CA Files, if needed */ ++static uchar* ++GetNetstrmDrvrCAExtraFiles(void) ++{ ++ return(pszNetstrmDrvrCAExtraFiles); ++} + + /* return the current default netstream driver key File */ + static uchar* +@@ -925,6 +935,7 @@ + SIMP_PROP(DfltNetstrmDrvrCAF) + SIMP_PROP(DfltNetstrmDrvrKeyFile) + SIMP_PROP(DfltNetstrmDrvrCertFile) ++ SIMP_PROP(NetstrmDrvrCAExtraFiles) + #ifdef USE_UNLIMITED_SELECT + SIMP_PROP(FdSetSize) + #endif +@@ -941,6 +952,8 @@ + pszDfltNetstrmDrvr = NULL; + free(pszDfltNetstrmDrvrCAF); + pszDfltNetstrmDrvrCAF = NULL; ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = NULL; + free(pszDfltNetstrmDrvrKeyFile); + pszDfltNetstrmDrvrKeyFile = NULL; + free(pszDfltNetstrmDrvrCertFile); +@@ -1350,6 +1363,9 @@ + free(pszDfltNetstrmDrvr); + pszDfltNetstrmDrvr = (uchar*) + es_str2cstr(cnfparamvals[i].val.d.estr, NULL); ++ } else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) { ++ free(pszNetstrmDrvrCAExtraFiles); ++ pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL); + } else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) { + bPreserveFQDN = (int) cnfparamvals[i].val.d.n; + } else if(!strcmp(paramblk.descr[i].name, +@@ -1546,6 +1562,8 @@ + &pszDfltNetstrmDrvrKeyFile, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL, + &pszDfltNetstrmDrvrCertFile, NULL)); ++ CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL, ++ &pszNetstrmDrvrCAExtraFiles, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL)); +--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c 2022-09-07 13:17:02.705696208 +0200 ++++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-09-07 14:09:18.697256943 +0200 +@@ -88,6 +88,7 @@ + static short bHaveCA; + static short bHaveCert; + static short bHaveKey; ++static short bHaveExtraCAFiles; + static int bAnonInit; + static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER; + +@@ -414,7 +415,8 @@ + { + DEFiRet; + DBGPRINTF("openssl: entering osslGlblInit\n"); +- const char *caFile, *certFile, *keyFile; ++ const char *caFile, *certFile, *keyFile, *extraCaFile; ++ char *extraCaFiles; + + /* Setup OpenSSL library */ + if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) { +@@ -451,9 +453,27 @@ + } else { + bHaveKey = 1; + } ++ extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles(); ++ if(extraCaFiles == NULL) { ++ bHaveExtraCAFiles = 0; ++ } else { ++ bHaveExtraCAFiles = 1; ++ } + + /* Create main CTX Object */ + ctx = SSL_CTX_new(SSLv23_method()); ++ if(bHaveExtraCAFiles == 1) { ++ while((extraCaFile = strsep(&extraCaFiles, ","))) { ++ if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) { ++ LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. " ++ "Check at least: 1) file path is correct, 2) file exist, " ++ "3) permissions are correct, 4) file content is correct. " ++ "Open ssl error info may follow in next messages"); ++ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit"); ++ ABORT_FINALIZE(RS_RET_TLS_CERT_ERR); ++ } ++ } ++ } + if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) { + LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. " + "Check at least: 1) file path is correct, 2) file exist, " diff --git a/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch new file mode 100644 index 0000000..8e46b35 --- /dev/null +++ b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch @@ -0,0 +1,20 @@ +diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c +index 6c24b5a2db..78cfc3bae2 100644 +--- a/plugins/imklog/imklog.c ++++ b/plugins/imklog/imklog.c +@@ -453,6 +453,7 @@ ENDactivateCnf + + BEGINfreeCnf + CODESTARTfreeCnf ++ free(pModConf->pszBindRuleset); + ENDfreeCnf + + +@@ -475,7 +476,6 @@ CODESTARTmodExit + if(pInputName != NULL) + prop.Destruct(&pInputName); + +- free(runModConf->pszBindRuleset); + /* release objects we used */ + objRelease(glbl, CORE_COMPONENT); + objRelease(net, CORE_COMPONENT); diff --git a/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch b/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch new file mode 100644 index 0000000..e3b1453 --- /dev/null +++ b/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch @@ -0,0 +1,30 @@ +diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c +--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig 2022-05-09 12:22:59.050623119 +0200 ++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c 2022-05-09 12:34:39.979854853 +0200 +@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ // *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->peerName, &propPeerName, &lenPeerName); +diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c +--- rsyslog-8.37.0/runtime/tcps_sess.c.orig 2022-05-09 12:23:12.789627661 +0200 ++++ rsyslog-8.37.0/runtime/tcps_sess.c 2022-05-09 12:36:51.426898549 +0200 +@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis, + if(pThis->iOctetsRemain <= 200000000) { + pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0'; + } +- *(pThis->pMsg + pThis->iMsg++) = c; ++ // *(pThis->pMsg + pThis->iMsg++) = c; ++ if(pThis->iMsg < iMaxLine) { ++ *(pThis->pMsg + pThis->iMsg++) = c; ++ } + } else { /* done with the octet count, so this must be the SP terminator */ + DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain); + prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName); diff --git a/SOURCES/rsyslog.conf b/SOURCES/rsyslog.conf new file mode 100644 index 0000000..06b19d1 --- /dev/null +++ b/SOURCES/rsyslog.conf @@ -0,0 +1,79 @@ +# rsyslog configuration file + +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html +# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html + +#### MODULES #### + +module(load="imuxsock" # provides support for local system logging (e.g. via logger command) + SysSock.Use="off") # Turn off message reception via local log socket; + # local messages are retrieved through imjournal now. +module(load="imjournal" # provides access to the systemd journal + StateFile="imjournal.state") # File to store the position in the journal +#module(load="imklog") # reads kernel messages (the same are read from journald) +#module(load="immark") # provides --MARK-- message capability + +# Provides UDP syslog reception +# for parameters see http://www.rsyslog.com/doc/imudp.html +#module(load="imudp") # needs to be done just once +#input(type="imudp" port="514") + +# Provides TCP syslog reception +# for parameters see http://www.rsyslog.com/doc/imtcp.html +#module(load="imtcp") # needs to be done just once +#input(type="imtcp" port="514") + +#### GLOBAL DIRECTIVES #### + +# Where to place auxiliary files +global(workDirectory="/var/lib/rsyslog") + +# Use default timestamp format +module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") + +# Include all config files in /etc/rsyslog.d/ +include(file="/etc/rsyslog.d/*.conf" mode="optional") + +#### RULES #### + +# Log all kernel messages to the console. +# Logging much else clutters up the screen. +#kern.* /dev/console + +# Log anything (except mail) of level info or higher. +# Don't log private authentication messages! +*.info;mail.none;authpriv.none;cron.none /var/log/messages + +# The authpriv file has restricted access. +authpriv.* /var/log/secure + +# Log all the mail messages in one place. +mail.* -/var/log/maillog + + +# Log cron stuff +cron.* /var/log/cron + +# Everybody gets emergency messages +*.emerg :omusrmsg:* + +# Save news errors of level crit and higher in a special file. +uucp,news.crit /var/log/spooler + +# Save boot messages also to boot.log +local7.* /var/log/boot.log + + +# ### sample forwarding rule ### +#action(type="omfwd" +# An on-disk queue is created for this action. If the remote host is +# down, messages are spooled to disk and sent when it is up again. +#queue.filename="fwdRule1" # unique name prefix for spool files +#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible) +#queue.saveonshutdown="on" # save messages to disk on shutdown +#queue.type="LinkedList" # run asynchronously +#action.resumeRetryCount="-1" # infinite retries if host is down +# Remote Logging (we use TCP for reliable delivery) +# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514 +#Target="remote_host" Port="XXX" Protocol="tcp") diff --git a/SOURCES/rsyslog.log b/SOURCES/rsyslog.log new file mode 100644 index 0000000..db85401 --- /dev/null +++ b/SOURCES/rsyslog.log @@ -0,0 +1,12 @@ +/var/log/cron +/var/log/maillog +/var/log/messages +/var/log/secure +/var/log/spooler +{ + missingok + sharedscripts + postrotate + /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true + endscript +} diff --git a/SOURCES/rsyslog.service b/SOURCES/rsyslog.service new file mode 100644 index 0000000..3b073f6 --- /dev/null +++ b/SOURCES/rsyslog.service @@ -0,0 +1,23 @@ +[Unit] +Description=System Logging Service +;Requires=syslog.socket +Wants=network.target network-online.target +After=network.target network-online.target +Documentation=man:rsyslogd(8) +Documentation=https://www.rsyslog.com/doc/ + +[Service] +Type=notify +EnvironmentFile=-/etc/sysconfig/rsyslog +ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS +UMask=0066 +StandardOutput=null +Restart=on-failure + +# Increase the default a bit in order to allow many simultaneous +# files to be monitored, we might need a lot of fds. +LimitNOFILE=16384 + +[Install] +WantedBy=multi-user.target +;Alias=syslog.service diff --git a/SOURCES/rsyslog.sysconfig b/SOURCES/rsyslog.sysconfig new file mode 100644 index 0000000..bc65731 --- /dev/null +++ b/SOURCES/rsyslog.sysconfig @@ -0,0 +1,5 @@ +# Options for rsyslogd +# Syslogd options are deprecated since rsyslog v3. +# If you want to use them, switch to compatibility mode 2 by "-c 2" +# See rsyslogd(8) for more details +SYSLOGD_OPTIONS="" diff --git a/SPECS/rsyslog.spec b/SPECS/rsyslog.spec new file mode 100644 index 0000000..642aef2 --- /dev/null +++ b/SPECS/rsyslog.spec @@ -0,0 +1,812 @@ +%define rsyslog_statedir %{_sharedstatedir}/%{name} +%define rsyslog_pkidir %{_sysconfdir}/pki/%{name} +%define rsyslog_docdir %{_docdir}/%{name} + + +Summary: Enhanced system logging and kernel message trapping daemon +Name: rsyslog +Version: 8.2102.0 +Release: 13%{?dist} +License: (GPLv3+ and ASL 2.0) +Group: System Environment/Daemons +ExcludeArch: i686 +URL: http://www.rsyslog.com/ +Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz +Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.tar.gz +Source2: rsyslog.conf +Source3: rsyslog.sysconfig +Source4: rsyslog.log +Source5: qpid-proton-0.34.0.tar.gz +Source6: rsyslog.service + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: flex +BuildRequires: libcurl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libfastjson-devel >= 0.99.8 +BuildRequires: libestr-devel >= 0.1.9 +BuildRequires: libtool +BuildRequires: libuuid-devel +BuildRequires: pkgconfig +BuildRequires: python3-docutils +# it depens on rhbz#1419228 +BuildRequires: systemd-devel >= 219-39 +BuildRequires: zlib-devel +BuildRequires: openssl-devel + +Requires: openssl-libs +Requires: logrotate >= 3.5.2 +Requires: bash >= 2.0 +Requires: libestr >= 0.1.9 +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +Provides: syslog +Obsoletes: sysklogd < 1.5-11 + +# imjournal: adds "journal" when tag/process name is missing +Patch0: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch +Patch1: rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch +Patch2: rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch +Patch3: rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch +Patch4: rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch +Patch5: rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch +Patch6: rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch +Patch7: rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch +Patch8: rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch +Patch9: rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch +Patch10: rsyslog-8.2102.0-nsd_ossl-better-logs.patch +Patch11: rsyslog-8.2102.0-imtcp-param-refactor.patch +Patch12: rsyslog-8.2102.0-nsd_ossl-memory-leak.patch +Patch13: rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch +Patch14: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch +Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch +Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch +Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch +Patch18: rsyslog-8.2102.0-rhbz2157658-imklog.patch + +%package crypto +Summary: Encryption support +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package doc +Summary: HTML Documentation for rsyslog +Group: Documentation +#no reason to have arched documentation +BuildArch: noarch + +%package elasticsearch +Summary: ElasticSearch output module for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package gnutls +Summary: TLS protocol support for rsyslog via GnuTLS library +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: gnutls-devel + +%package openssl +Summary: TLS protocol support for rsyslog via OpenSSL library +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: openssl-devel + +%package gssapi +Summary: GSSAPI authentication and encryption support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: krb5-devel + +%package kafka +Summary: Provides kafka support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: librdkafka-devel + +%package mmaudit +Summary: Message modification module supporting Linux audit format +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package mmjsonparse +Summary: JSON enhanced logging support +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package mmkubernetes +Summary: Provides the mmkubernetes module +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package mmnormalize +Summary: Log normalization support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: liblognorm-devel + +%package mmfields +Summary: Fields extraction module +Requires: %name = %version-%release + +%package mmsnmptrapd +Summary: Message modification module for snmptrapd generated messages +Group: System Environment/Daemons +Requires: %name = %version-%release + +%package mysql +Summary: MySQL support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: mariadb-connector-c-devel + +%package omamqp1 +Summary: AMQP1 support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +Requires: cyrus-sasl-lib +Requires: openssl-libs +BuildRequires: cmake +BuildRequires: make +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: cyrus-sasl-devel +BuildRequires: openssl-devel +BuildRequires: python3 + +%package pgsql +Summary: PostgresSQL support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: postgresql-devel + +%package relp +Summary: RELP protocol support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +Requires: librelp >= 1.9.0 +BuildRequires: librelp-devel >= 1.9.0 + +%package snmp +Summary: SNMP protocol support for rsyslog +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: net-snmp-devel + +%package udpspoof +Summary: Provides the omudpspoof module +Group: System Environment/Daemons +Requires: %name = %version-%release +BuildRequires: libnet-devel + +%description +Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL, +syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, +and fine grain output format control. It is compatible with stock sysklogd +and can be used as a drop-in replacement. Rsyslog is simple to set up, with +advanced features suitable for enterprise-class, encryption-protected syslog +relay chains. + +%description crypto +This package contains a module providing log file encryption and a +command line tool to process encrypted logs. + +%description doc +This subpackage contains documentation for rsyslog. + +%description elasticsearch +This module provides the capability for rsyslog to feed logs directly into +Elasticsearch. + +%description gnutls +The rsyslog-gnutls package contains the rsyslog plugins that provide the +ability to send and receive syslog messages via TCP or RELP using TLS +encryption via GnuTLS library. For details refer to rsyslog doc on imtcp +and omfwd modules. + +%description openssl +The rsyslog-openssl package contains the rsyslog plugins that provide the +ability to send and receive syslog messages via TCP or RELP using TLS +encryption via OpenSSL library. For details refer to rsyslog doc on imtcp +and omfwd modules. + +%description gssapi +The rsyslog-gssapi package contains the rsyslog plugins which support GSSAPI +authentication and secure connections. GSSAPI is commonly used for Kerberos +authentication. + +%description kafka +The rsyslog-kafka package provides modules for Apache Kafka input and output. + +%description mmaudit +This module provides message modification supporting Linux audit format +in various settings. + +%description mmjsonparse +This module provides the capability to recognize and parse JSON enhanced +syslog messages. + +%description mmkubernetes +The rsyslog-mmkubernetes package provides module for adding kubernetes +container metadata. + +%description mmnormalize +This module provides the capability to normalize log messages via liblognorm. + +%description mmfields +The mmfield module permits to extract fields. Using this module is of special +advantage if a field-based log format is to be processed, like for example CEF +and either a large number of fields is needed or a specific field is used multiple +times inside filters. + +%description mmsnmptrapd +This message modification module takes messages generated from snmptrapd and +modifies them so that they look like they originated from the read originator. + +%description mysql +The rsyslog-mysql package contains a dynamic shared object that will add +MySQL database support to rsyslog. + +%description omamqp1 +The rsyslog-omamqp1 package contains a dynamic shared object that will add +AMQP1 support to rsyslog. + +%description pgsql +The rsyslog-pgsql package contains a dynamic shared object that will add +PostgreSQL database support to rsyslog. + +%description relp +The rsyslog-relp package contains the rsyslog plugins that provide +the ability to receive syslog messages via the reliable RELP +protocol. + +%description snmp +The rsyslog-snmp package contains the rsyslog plugin that provides the +ability to send syslog messages as SNMPv1 and SNMPv2c traps. + +%description udpspoof +This module is similar to the regular UDP forwarder, but permits to +spoof the sender address. Also, it enables to circle through a number +of source ports. + +%prep +# set up rsyslog-doc sources +%setup -q -a 1 -T -c + +#regenerate the docs + +#mv build/searchindex.js searchindex_backup.js +#sphinx-build -b html source build +#clean up +#mv searchindex_backup.js build/searchindex.js + +rm -r LICENSE README.md source build/objects.inv +mv build doc + +# set up rsyslog sources +%setup -q -D +%setup -q -D -T -b 5 + +%patch0 -p1 -b .default-tag +%patch1 -p1 -b .fd-leak-on-fsync +%patch2 -p1 -b .timeout +%patch3 -p1 -b .unexpected-priority-length +%patch4 -p1 -b .imuxsock-rate-limit +%patch5 -p1 -b .abort-on-id-resolution-fail +%patch6 -p1 -b .prioritizeSAN +%patch7 -p1 -b .errfile-maxsize +%patch8 -p1 -b .state-file-leaking +%patch9 -p1 -b .state-file-leaking-doc +%patch10 -p1 -b .ossl-better-logs +%patch11 -p1 -b .imtcp-refactor-params +%patch12 -p1 -b .ossl-memory-leak +%patch13 -p1 -b .ossl-ciphers-behaviour +%patch14 -p1 -b .CVE-24903 +%patch15 -p1 -b .gnutls-error-handling +%patch16 -p1 -b .extra-ca-files +%patch17 -p1 -b .extra-ca-files-doc +%patch18 -p1 -b .imklog-heap + +%build +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIC" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpic" +%endif +# build the proton first +( + cd %{_builddir}/qpid-proton-0.34.0 + mkdir bld + cd bld + + # Need ENABLE_FUZZ_TESTING=NO to avoid a link failure + # Find python include dir and python library from + # https://stackoverflow.com/questions/24174394/cmake-is-not-able-to-find-python-libraries + cmake .. \ + -DBUILD_BINDINGS="" \ + -DBUILD_STATIC_LIBS=YES \ + -DENABLE_FUZZ_TESTING=NO \ + -DPYTHON_INCLUDE_DIR=$(python3 -c "from distutils.sysconfig import get_python_inc; print(get_python_inc())") \ + -DPYTHON_LIBRARY=$(python3 -c "import distutils.sysconfig as sysconfig; print(sysconfig.get_config_var('LIBDIR'))") \ + -DCMAKE_AR="/usr/bin/gcc-ar" -DCMAKE_NM="/usr/bin/gcc-nm" -DCMAKE_RANLIB="/usr/bin/gcc-ranlib" + make -j8 +) +%ifarch sparc64 +#sparc64 need big PIE +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpie" +%endif +export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" + +sed -i 's/%{version}/%{version}-%{release}/g' configure.ac +autoreconf -if +%configure \ + --prefix=/usr \ + --disable-static \ + --disable-testbench \ + --enable-elasticsearch \ + --enable-generate-man-pages \ + --enable-gnutls \ + --enable-openssl \ + --enable-gssapi-krb5 \ + --enable-imdiag \ + --enable-imfile \ + --enable-imjournal \ + --enable-imkafka \ + --enable-impstats \ + --enable-imptcp \ + --enable-mail \ + --enable-mmanon \ + --enable-mmaudit \ + --enable-mmcount \ + --enable-mmjsonparse \ + --enable-mmkubernetes \ + --enable-mmnormalize \ + --enable-mmfields \ + --enable-mmsnmptrapd \ + --enable-mmutf8fix \ + --enable-mysql \ + --enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.34.0/bld/c/include" \ + --enable-omhttp \ + --enable-omjournal \ + --enable-omkafka \ + --enable-omprog \ + --enable-omstdout \ + --enable-omudpspoof \ + --enable-omuxsock \ + --enable-pgsql \ + --enable-pmaixforwardedfrom \ + --enable-pmcisconames \ + --enable-pmlastmsg \ + --enable-pmsnare \ + --enable-relp \ + --enable-snmp \ + --enable-unlimited-select \ + --enable-usertools + +make + +%install +make DESTDIR=%{buildroot} install + +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d +install -d -m 755 %{buildroot}%{_unitdir} +install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d +install -d -m 700 %{buildroot}%{rsyslog_statedir} +install -d -m 700 %{buildroot}%{rsyslog_pkidir} +install -d -m 755 %{buildroot}%{rsyslog_docdir}/html + +install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog +install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/syslog +install -p -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/rsyslog.service +install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql +install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql +install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir} +# extract documentation +cp -r doc/* %{buildroot}%{rsyslog_docdir}/html +# get rid of libtool libraries +rm -f %{buildroot}%{_libdir}/rsyslog/*.la + +# convert line endings from "\r\n" to "\n" +cat tools/recover_qi.pl | tr -d '\r' > %{buildroot}%{_bindir}/rsyslog-recover-qi.pl + +%post +for n in /var/log/{messages,secure,maillog,spooler} +do + [ -f $n ] && continue + umask 066 && touch $n +done +%systemd_post rsyslog.service + +%preun +%systemd_preun rsyslog.service + +%postun +%systemd_postun_with_restart rsyslog.service + +%files +%doc AUTHORS COPYING* ChangeLog +%exclude %{rsyslog_docdir}/html +%exclude %{rsyslog_docdir}/mysql-createDB.sql +%exclude %{rsyslog_docdir}/pgsql-createDB.sql +%dir %{_libdir}/rsyslog +%dir %{_sysconfdir}/rsyslog.d +%dir %{rsyslog_statedir} +%dir %{rsyslog_pkidir} +%{_sbindir}/rsyslogd +%attr(755,root,root) %{_bindir}/rsyslog-recover-qi.pl +%{_mandir}/man5/rsyslog.conf.5.gz +%{_mandir}/man8/rsyslogd.8.gz +%{_unitdir}/rsyslog.service +%config(noreplace) %{_sysconfdir}/rsyslog.conf +%config(noreplace) %{_sysconfdir}/sysconfig/rsyslog +%config(noreplace) %{_sysconfdir}/logrotate.d/syslog +# plugins +%{_libdir}/rsyslog/fmhash.so +%{_libdir}/rsyslog/fmhttp.so +%{_libdir}/rsyslog/imdiag.so +%{_libdir}/rsyslog/imfile.so +%{_libdir}/rsyslog/imjournal.so +%{_libdir}/rsyslog/imklog.so +%{_libdir}/rsyslog/immark.so +%{_libdir}/rsyslog/impstats.so +%{_libdir}/rsyslog/imptcp.so +%{_libdir}/rsyslog/imtcp.so +%{_libdir}/rsyslog/imudp.so +%{_libdir}/rsyslog/imuxsock.so +%{_libdir}/rsyslog/lmnet.so +%{_libdir}/rsyslog/lmnetstrms.so +%{_libdir}/rsyslog/lmnsd_ptcp.so +%{_libdir}/rsyslog/lmregexp.so +%{_libdir}/rsyslog/lmtcpclt.so +%{_libdir}/rsyslog/lmtcpsrv.so +%{_libdir}/rsyslog/lmzlibw.so +%{_libdir}/rsyslog/mmanon.so +%{_libdir}/rsyslog/mmcount.so +%{_libdir}/rsyslog/mmexternal.so +%{_libdir}/rsyslog/mmutf8fix.so +%{_libdir}/rsyslog/omhttp.so +%{_libdir}/rsyslog/omjournal.so +%{_libdir}/rsyslog/ommail.so +%{_libdir}/rsyslog/omprog.so +%{_libdir}/rsyslog/omstdout.so +%{_libdir}/rsyslog/omtesting.so +%{_libdir}/rsyslog/omuxsock.so +%{_libdir}/rsyslog/pmaixforwardedfrom.so +%{_libdir}/rsyslog/pmcisconames.so +%{_libdir}/rsyslog/pmlastmsg.so +%{_libdir}/rsyslog/pmsnare.so + +%files crypto +%{_bindir}/rscryutil +%{_mandir}/man1/rscryutil.1.gz +%{_libdir}/rsyslog/lmcry_gcry.so + +%files doc +%doc %{rsyslog_docdir}/html + +%files elasticsearch +%{_libdir}/rsyslog/omelasticsearch.so + +%files gssapi +%{_libdir}/rsyslog/lmgssutil.so +%{_libdir}/rsyslog/imgssapi.so +%{_libdir}/rsyslog/omgssapi.so + +%files gnutls +%{_libdir}/rsyslog/lmnsd_gtls.so + +%files openssl +%{_libdir}/rsyslog/lmnsd_ossl.so + +%files kafka +%{_libdir}/rsyslog/imkafka.so +%{_libdir}/rsyslog/omkafka.so + +%files mmaudit +%{_libdir}/rsyslog/mmaudit.so + +%files mmjsonparse +%{_libdir}/rsyslog/mmjsonparse.so + +%files mmkubernetes +%{_libdir}/rsyslog/mmkubernetes.so +%doc %{rsyslog_docdir}/k8s_filename.rulebase +%doc %{rsyslog_docdir}/k8s_container_name.rulebase + +%files mmnormalize +%{_libdir}/rsyslog/mmnormalize.so + +%files mmfields +%{_libdir}/rsyslog/mmfields.so + +%files mmsnmptrapd +%{_libdir}/rsyslog/mmsnmptrapd.so + +%files mysql +%doc %{rsyslog_docdir}/mysql-createDB.sql +%{_libdir}/rsyslog/ommysql.so + +%files omamqp1 +%{_libdir}/rsyslog/omamqp1.so + +%files pgsql +%doc %{rsyslog_docdir}/pgsql-createDB.sql +%{_libdir}/rsyslog/ompgsql.so + +%files relp +%{_libdir}/rsyslog/imrelp.so +%{_libdir}/rsyslog/omrelp.so + +%files snmp +%{_libdir}/rsyslog/omsnmp.so + +%files udpspoof +%defattr(-,root,root) +%{_libdir}/rsyslog/omudpspoof.so + +%changelog +* Mon Jan 09 2023 Attila Lakatos - 8.2102.0-13 +- Make rsyslog-relp require librelp>= 1.9.0 + resolves: rhbz#2029352 +- Reorder logrotate parameters to work with POSIXLY_CORRECT env var + resolves: rhbz#2070496 + +* Fri Jan 06 2023 Attila Lakatos - 8.2102.0-12 +- Fix invalid memory adressing in imklog that could cause abort + resolves: rhbz#2157658 + +* Tue Sep 06 2022 Sergio Arroutbi - 8.2102.0-11 +- Enable multiple SSL CA files + resolves: rhbz#2124934 + +* Wed Apr 13 2022 Attila Lakatos - 8.2102.0-10 +- openssl: Correct gnutlsPriorityString (custom ciphers) behaviour +- Fix error handling in gtlsRecordRecv that can cause 100 percent CPU usage + resolves: rhbz#2046158 +- Address CVE-2022-24903, Heap-based overflow in TCP syslog server + resolves: rhbz#2081401 + +* Mon Mar 28 2022 Attila Lakatos - 8.2102.0-9 +- Add deleteStateOnFileMove imfile module option + resolves: rhbz#1909639 +- Add inotify_rm_watch() inotify API call when object needs to be destroyed + resolves: rhbz#2052403 + +* Fri Mar 04 2022 Sergio Arroutbi - 8.2102.0-8 +- Include maxsize for error files + resolves: rhbz#1962318 + +* Mon Nov 22 2021 Attila Lakatos - 8.2102.0-7 +- Propagate prioritizeSAN when accepting new connection + resolves: rhbz#1832368 + +* Mon Oct 18 2021 Attila Lakatos - 8.2102.0-6 +- Enable mmfields module + resolves: rhbz#1947907 + resolves: rhbz#1866900 + +* Wed Aug 04 2021 Attila Lakatos - 8.2102.0-5 +- Do not exit when user/group can not be found + resolves: rhbz#1984489 +- Remove abortOnIDResolution fail + +* Tue Jul 27 2021 Attila Lakatos - 8.2102.0-4 +- Allways use message severity when comparing with ratelimit severity + resolves: rhbz#1984616 + +* Mon Jun 28 2021 Attila Lakatos - 8.2102.0-3 +- Priority field must have valid length + resolves: rhbz#1866877 +- Allocate more memory on too large groups + resolves: rhbz#1944718 + +* Tue May 18 2021 Attila Lakatos - 8.2102.0-2 + RHEL 8.5.0 ERRATUM +- rebase to 8.2102.0 + resolves: rhbz#1932795 +- Enable openssl + resolves: rhbz#1891458 +- EKU check for client cert on server side + resolves: rhbz#1783348 +- Use GNUTLS_SHUT_WR when ending TLS connections + resolves: rhbz#1880434 +- Use librelp with openssl enabled + resolves: rhbz#1795607 +- Close dir when fsync=on + resolves: rhbz#1960536 + +* Wed Nov 18 2020 Attila Lakatos - 8.1911.0-7 +- add back rsyslog-udpspoof package + resolves: rhbz#1869874 + +* Thu Jun 18 2020 Jiri Vymazal - 8.1911.0-6 + RHEL 8.3.0 ERRATUM +- added patch preventing imfile crash when selinux blocks symlink + access + resolves: rhbz#1843994 +- fixed config-enabled patch + resolves: rhbz#1659383 + +* Thu Jun 04 2020 Jiri Vymazal - 8.1911.0-5 + RHEL 8.3.0 ERRATUM +- added qpid-proton as another source and enabled omamqp1 module + in a separate sub-package with it statically linked + resolves: rhbz#1713427 +- extended config.enabled patch to cover rest of the cases + resolves: rhbz#1659383 +- added patch making json serialization thread-safe + resolves: rhbz#1789675 +- added another patch for imfile state-files id + resolves: rhbz#1793569 +- fixed typo in commend-out part of default rsyslog.conf + +* Wed Dec 11 2019 Jiri Vymazal - 8.1911.0-3 + RHEL 8.2.0 ERRATUM +- added patch reverting rejecting expired certs by default + resolves: rhbz#1782353 +- added patch silencing false errors on config.enabled statement + resolves: rhbz#1659383 + +* Tue Dec 03 2019 Jiri Vymazal - 8.1911.0-2 + RHEL 8.2.0 ERRATUM +- cleaned old patches, fixed patch names + resolves: rhbz#1740683 + +* Mon Dec 02 2019 Jiri Vymazal - 8.1911.0-1 + RHEL 8.2.0 ERRATUM +- rebased to 8.1911.0 upstream version, removed, previously + upstreamed patches + resolves: rhbz#1740683 + resolves: rhbz#1659383 + resolves: rhbz#1746876 + resolves: rhbz#1676559 + resolves: rhbz#1692072 + resolves: rhbz#1692073 + resolves: rhbz#1692074 + resolves: rhbz#1699242 + resolves: rhbz#1738213 + resolves: rhbz#1744691 + resolves: rhbz#1755218 + resolves: rhbz#1768321 + resolves: rhbz#1768324 +- added patch fixing imfile stefiles naming + resolves: rhbz#1763757 + +* Fri Aug 30 2019 Jiri Vymazal - 8.37.0-13 + RHEL 8.1.0 ERRATUM +- added patch enabling stricter TLS certs checking conforming to + common criteria requirements + resolves: rhbz#1733244 + +* Mon Jul 22 2019 Jiri Vymazal - 8.37.0-12 + RHEL 8.1.0 ERRATUM +- edited imjournal memleak patch to not cause double-free crash + resolves: rhbz#1729995 +- added patch calling journald API only when there are no + preceeding errors + resolves: rhbz#1722165 +- added patch fixing imrelp module when invoked with old syntax + resolves: rhbz#1724218 + +* Wed Jun 05 2019 Jiri Vymazal - 8.37.0-11 + RHEL 8.1.0 ERRATUM +- fixed memory leak in imjournal by proper cursor releasing + resolves: rhbz#1716867 + +* Fri May 10 2019 Jiri Vymazal - 8.37.0-10 + RHEL 8.1.0 ERRATUM +- added option for imfile endmsg.regex + resolves: rhbz#1627941 +- added patch enhancing imfile rotation detection + resolves: rhbz#1674471 +- added patch fixing msgOffset datatype preventing crash on + message with too long other fields + resolves: rhbz#1677037 +- added patch introducing "preservecase" option for imudp/imtcp + resolves: rhbz#1614181 + +* Mon Dec 17 2018 Jiri Vymazal - 8.37.0-9 + RHEL 8.0.0 ERRATUM +- added back legacy option for imjournal default tag + resolves: rhbz#1659898 + +* Fri Dec 14 2018 Jiri Vymazal - 8.37.0-8 + RHEL 8.0.0 ERRATUM +- fixes mmkubenetes handling 404 and 429 errors + resolves: rhbz#1622768 + +* Fri Oct 19 2018 Jiri Vymazal - 8.37.0-7 +- removed version from docdir macro + resolves: rhbz#1638023 + +* Mon Aug 27 2018 Jiri Vymazal - 8.37.0-6 +- updated patch for enhanced imfile symlink support + resolves: rhbz#1614179 + +* Fri Aug 10 2018 Jiri Vymazal - 8.37.0-5 +- rebuild for rebased dependencies +- dependency cleanup and sorted sub-packages in spec + resolves: rhbz#1613880 + +* Fri Aug 10 2018 Jiri Vymazal - 8.37.0-4 +- enabled mmkubernetes module + resolves: rhbz#1614432 + resolves: rhbz#1614441 + +* Thu Aug 09 2018 Josef Ridky - 8.37.0-3 +- Rebuild for Net-SNMP + +* Thu Aug 09 2018 Jiri Vymazal - 8.37.0-2 +- added patch for enhanced imfile symlink support + resolves: rhbz#1614179 + +* Wed Aug 08 2018 Jiri Vymazal - 8.37.0-1 +- rebase to 8.37.0 + resolves: rhbz#1613880 + resolves: rhbz#1564054 + resolves: rhbz#1598218 + - dropped invalid statefile patch - upstreamed + - dropped imjournal duplicates patch - upstreamed + resolves: rhbz#1544394 +- renumbered default tag patch and fitted onto rebased version + +* Fri Aug 03 2018 Jiri Vymazal - 8.36.0-4 +- removed dependency on libee + resolves: rhbz#1612032 + +* Wed Aug 01 2018 Jiri Vymazal - 8.36.0-3 +- dropped json_nonoverwrite patch as there is no reason for + keeping it +- renumbered rest of patches +- added release number to AC_INIT to have it in package error logs + +* Mon Jul 16 2018 Charalampos Stratakis - 8.36.0-2 +- Depend on python3-docutils + +* Mon Jul 02 2018 Jiri Vymazal - 8.36.0-1 +- changed PID file name to follow upstream +- removed config option to disable stdlog as it is now + disabled by default + +* Thu Jun 28 2018 Jiri Vymazal - 8.36.0-1 +- rebase to 8.36 +- removed hiredis module +- removed omudpspoof module + resolves: rhbz#1593762 +- finished converting config to new-style syntax + +* Mon May 21 2018 Jiri Vymazal - 8.35.0-1 +- spec file cleanup +- enabled kafka and hiredis modules + resolves: rhbz#1542497 + resolves: rhbz#1542504 +- renamed patch fixing imjournal duplicating messages + resolves: rhbz#1544394 + +* Thu May 17 2018 Marek Tamaskovic - 8.35.0-1 +- rebase to 8.35 +- rebased patches from 8.32 to 8.35 + - fixed imjournal-duplicates + - fixed imjournal-default-tag + - fixed service patch + - fixed in upstream deserialize-property-name + +* Fri Mar 23 2018 Radovan Sroka - 8.32.0-2 +- rebuild, bumped release number + +* Tue Feb 06 2018 Radovan Sroka - 8.32.0-1 +- initial clean build with plugins from rhel7 +- removed plugins: + - libdbi + - omruleset + - pmrfc3164sd +- imported from fedora26