rpms
/
rsyslog
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
...
pull from: rpms:i8c
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'i8c' have entirely different histories.
c9 ... i8c

25 changed files with 2077 additions and 2699 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1,3 +1,3 @@
SOURCES/qpid-proton-0.39.0.tar.gz
SOURCES/qpid-proton-0.34.0.tar.gz
SOURCES/rsyslog-8.2102.0.tar.gz
SOURCES/rsyslog-doc-8.2102.0.tar.gz

2
.rsyslog.metadata
Unescape View File

@ -1,3 +1,3 @@
e2fe5aada26415aeb1902435a8acf5ee388cb2cf SOURCES/qpid-proton-0.39.0.tar.gz
390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz
fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz

11
SOURCES/propagate-gnutlsPriorityString.patch
Unescape View File

@ -0,0 +1,11 @@
diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2024-08-26 15:27:50.528691153 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2024-08-26 15:28:06.950855632 +0200
@@ -1544,6 +1544,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
pNew->permitExpiredCerts = pThis->permitExpiredCerts;
pNew->pPermPeers = pThis->pPermPeers;
pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+ pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
CHKiRet(osslInitSession(pNew, osslServer));
/* Store nsd_ossl_t* reference in SSL obj */

11
SOURCES/rsyslog-8.2102.0-capabilities-capnetraw.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-03-06 09:33:13.969300666 +0100
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-03-06 09:33:35.089326502 +0100
@@ -2164,6 +2164,7 @@ main(int argc, char **argv)
CAP_SETGID,
CAP_SETUID,
CAP_DAC_OVERRIDE,
+ CAP_NET_RAW,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
CAP_SYS_RESOURCE,

67
SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch
Unescape View File

@ -1,67 +0,0 @@
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-02-17 11:52:17.460043970 +0100
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-02-17 12:00:49.881602881 +0100
@@ -33,9 +33,6 @@
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/stat.h>
-#ifdef ENABLE_LIBCAPNG
- #include <cap-ng.h>
-#endif
#include "rsyslog.h"
#include "obj.h"
@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
uchar szBuf[1024];
DEFiRet;
-#ifndef ENABLE_LIBCAPNG
+
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
res = setgroups(0, NULL); /* remove all supplemental group IDs */
if(res) {
@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
"could not set requested group id: %s via setgid()", szBuf);
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
}
-#else
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
- res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
- if (res) {
- LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
- ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
- }
-#endif
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
iUid, szBuf);
}
-#ifndef ENABLE_LIBCAPNG
+
res = setuid(iUid);
- // res = setuid(cnf->globals.uidDropPriv);
-#else
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
- res = capng_change_id(iUid, -1, capng_flags);
-#endif
if(res) {
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-02-17 11:52:00.011011019 +0100
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-02-17 11:58:37.322491823 +0100
@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
CAP_LEASE,
CAP_NET_ADMIN,
CAP_NET_BIND_SERVICE,
- CAP_PERFMON,
CAP_SETGID,
CAP_SETUID,
+ CAP_DAC_OVERRIDE,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
CAP_SYS_RESOURCE,

908
SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch
Unescape View File

@ -0,0 +1,908 @@
diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c
index 3e27ee4d36..d57dd5661c 100644
--- a/plugins/imdiag/imdiag.c
+++ b/plugins/imdiag/imdiag.c
@@ -566,28 +566,33 @@ setInjectDelayMode(void __attribute__((unused)) *pVal, uchar *const pszMode)
}
-static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+static rsRetVal
+addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
{
+ tcpLstnParams_t *cnf_params = NULL;
DEFiRet;
- if(pOurTcpsrv == NULL) {
- CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
- CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
- CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
- CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
- CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
- CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
- CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
- CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
- CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
- CHKiRet(tcpsrv.SetLstnPortFileName(pOurTcpsrv, pszLstnPortFileName));
- /* now set optional params, but only if they were actually configured */
- if(pszStrmDrvrAuthMode != NULL) {
- CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
- }
- if(pPermPeersRoot != NULL) {
- CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
- }
+ if(pOurTcpsrv != NULL) {
+ LogError(0, NO_ERRCODE, "imdiag: only a single listener is supported, "
+ "trying to add a second");
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+ CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+ CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+ CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+ CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+ CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+ CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+ CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+ CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+ CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+ CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+ /* now set optional params, but only if they were actually configured */
+ if(pszStrmDrvrAuthMode != NULL) {
+ CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+ }
+ if(pPermPeersRoot != NULL) {
+ CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
}
/* initialized, now add socket */
@@ -595,7 +600,11 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
UCHAR_CONSTANT("imdiag") : pszInputName));
CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, (uchar*)"imdiag"));
/* we support octect-counted frame (constant 1 below) */
- tcpsrv.configureTCPListen(pOurTcpsrv, pNewVal, 1, NULL, pszLstnPortFileName);
+ cnf_params->pszPort = pNewVal;
+ cnf_params->bSuppOctetFram = 1;
+ CHKmalloc(cnf_params->pszLstnPortFileName = (const uchar*) strdup((const char*)pszLstnPortFileName));
+ tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+ cnf_params = NULL;
finalize_it:
if(iRet != RS_RET_OK) {
@@ -603,7 +612,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
if(pOurTcpsrv != NULL)
tcpsrv.Destruct(&pOurTcpsrv);
}
- free(pNewVal);
+ free(cnf_params);
RETiRet;
}
@@ -760,6 +769,7 @@ CODESTARTmodExit
/* free some globals to keep valgrind happy */
free(pszInputName);
+fprintf(stderr, "FINAL FREE %p\n", pszLstnPortFileName);
free(pszLstnPortFileName);
free(pszStrmDrvrAuthMode);
diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c
index e0cab01664..4041e88b14 100644
--- a/plugins/imgssapi/imgssapi.c
+++ b/plugins/imgssapi/imgssapi.c
@@ -334,34 +334,38 @@ static rsRetVal
actGSSListener(uchar *port)
{
DEFiRet;
+ tcpLstnParams_t *cnf_params = NULL;
gsssrv_t *pGSrv = NULL;
- if(pOurTcpsrv == NULL) {
- /* first create/init the gsssrv "object" */
- if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
- ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
-
- pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
- if(bPermitPlainTcp)
- pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
- /* gsssrv initialized */
-
- CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
- CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
- CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
- CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
- CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
- CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
- CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
- CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
- CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
- CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
- CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
- CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
- CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
- tcpsrv.configureTCPListen(pOurTcpsrv, port, 1, NULL, NULL);
- CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
- }
+ assert(pOurTcpsrv == NULL);
+ CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+ /* first create/init the gsssrv "object" */
+ if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+ ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+
+ pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+ if(bPermitPlainTcp)
+ pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+ /* gsssrv initialized */
+
+ CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+ CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+ CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+ CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+ CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+ CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+ CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+ CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+ CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+ CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+ CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+ CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+ CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+ cnf_params->pszPort = port;
+ cnf_params->bSuppOctetFram = 1;
+ tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+ CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+ cnf_params = NULL;
finalize_it:
if(iRet != RS_RET_OK) {
@@ -370,6 +374,7 @@ actGSSListener(uchar *port)
tcpsrv.Destruct(&pOurTcpsrv);
free(pGSrv);
}
+ free(cnf_params);
RETiRet;
}
diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
index cf74d4c616..c336e6c24d 100644
--- a/plugins/imtcp/imtcp.c
+++ b/plugins/imtcp/imtcp.c
@@ -4,7 +4,7 @@
* File begun on 2007-12-21 by RGerhards (extracted from syslogd.c,
* which at the time of the rsyslog fork was BSD-licensed)
*
- * Copyright 2007-2017 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
*
* This file is part of rsyslog.
*
@@ -112,9 +112,7 @@ static struct configSettings_s {
} cs;
struct instanceConf_s {
- uchar *pszBindPort; /* port to bind to */
- uchar *pszLstnPortFileName; /* file dynamic port is written to */
- uchar *pszBindAddr; /* IP to bind socket to */
+ tcpLstnParams_t *cnf_params; /**< listener config parameters */
uchar *pszBindRuleset; /* name of ruleset to bind to */
ruleset_t *pBindRuleset; /* ruleset to bind listener to (use system default if unspecified) */
uchar *pszInputName; /* value for inputname property, NULL is OK and handled by core engine */
@@ -122,7 +120,6 @@ struct instanceConf_s {
sbool bSPFramingFix;
unsigned int ratelimitInterval;
unsigned int ratelimitBurst;
- int bSuppOctetFram;
struct instanceConf_s *next;
};
@@ -288,19 +285,20 @@ setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID)
static rsRetVal
createInstance(instanceConf_t **pinst)
{
- instanceConf_t *inst;
+ instanceConf_t *inst = NULL;
+
DEFiRet;
CHKmalloc(inst = malloc(sizeof(instanceConf_t)));
+ CHKmalloc(inst->cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
inst->next = NULL;
inst->pszBindRuleset = NULL;
inst->pszInputName = NULL;
- inst->pszBindAddr = NULL;
inst->dfltTZ = NULL;
- inst->bSuppOctetFram = -1; /* unset */
+ inst->cnf_params->bSuppOctetFram = -1; /* unset */
inst->bSPFramingFix = 0;
inst->ratelimitInterval = 0;
inst->ratelimitBurst = 10000;
- inst->pszLstnPortFileName = NULL;
+ inst->cnf_params->pszLstnPortFileName = NULL;
/* node created, let's add to config */
if(loadModConf->tail == NULL) {
@@ -312,6 +310,9 @@ createInstance(instanceConf_t **pinst)
*pinst = inst;
finalize_it:
+ if(iRet != RS_RET_OK) {
+ free(inst);
+ }
RETiRet;
}
@@ -328,7 +329,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
CHKiRet(createInstance(&inst));
- CHKmalloc(inst->pszBindPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+ CHKmalloc(inst->cnf_params->pszPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
? (uchar*) "10514" : pNewVal));
if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
inst->pszBindRuleset = NULL;
@@ -336,14 +337,14 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset));
}
if((cs.lstnIP == NULL) || (cs.lstnIP[0] == '\0')) {
- inst->pszBindAddr = NULL;
+ inst->cnf_params->pszAddr = NULL;
} else {
- CHKmalloc(inst->pszBindAddr = ustrdup(cs.lstnIP));
+ CHKmalloc(inst->cnf_params->pszAddr = ustrdup(cs.lstnIP));
}
if((cs.lstnPortFile == NULL) || (cs.lstnPortFile[0] == '\0')) {
- inst->pszBindAddr = NULL;
+ inst->cnf_params->pszAddr = NULL;
} else {
- CHKmalloc(inst->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+ CHKmalloc(inst->cnf_params->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
}
if((cs.pszInputName == NULL) || (cs.pszInputName[0] == '\0')) {
@@ -351,7 +352,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
} else {
CHKmalloc(inst->pszInputName = ustrdup(cs.pszInputName));
}
- inst->bSuppOctetFram = cs.bSuppOctetFram;
+ inst->cnf_params->bSuppOctetFram = cs.bSuppOctetFram;
finalize_it:
free(pNewVal);
@@ -407,7 +408,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
}
/* initialized, now add socket and listener params */
- DBGPRINTF("imtcp: trying to add port *:%s\n", inst->pszBindPort);
+ DBGPRINTF("imtcp: trying to add port *:%s\n", inst->cnf_params->pszPort);
CHKiRet(tcpsrv.SetRuleset(pOurTcpsrv, inst->pBindRuleset));
CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, inst->pszInputName == NULL ?
UCHAR_CONSTANT("imtcp") : inst->pszInputName));
@@ -416,12 +417,12 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
CHKiRet(tcpsrv.SetbSPFramingFix(pOurTcpsrv, inst->bSPFramingFix));
CHKiRet(tcpsrv.SetLinuxLikeRatelimiters(pOurTcpsrv, inst->ratelimitInterval, inst->ratelimitBurst));
- if((ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) == 0 && inst->pszLstnPortFileName == NULL)
- || ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) < 0) {
- CHKmalloc(inst->pszBindPort = (uchar*)strdup("514"));
+ if((ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) == 0
+ && inst->cnf_params->pszLstnPortFileName == NULL)
+ || ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) < 0) {
+ CHKmalloc(inst->cnf_params->pszPort = (uchar*)strdup("514"));
}
- tcpsrv.configureTCPListen(pOurTcpsrv, inst->pszBindPort, inst->bSuppOctetFram,
- inst->pszBindAddr, inst->pszLstnPortFileName);
+ tcpsrv.configureTCPListen(pOurTcpsrv, inst->cnf_params);
finalize_it:
if(iRet != RS_RET_OK) {
@@ -456,9 +457,9 @@ CODESTARTnewInpInst
if(!pvals[i].bUsed)
continue;
if(!strcmp(inppblk.descr[i].name, "port")) {
- inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ inst->cnf_params->pszPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
} else if(!strcmp(inppblk.descr[i].name, "address")) {
- inst->pszBindAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ inst->cnf_params->pszAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
} else if(!strcmp(inppblk.descr[i].name, "name")) {
inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
} else if(!strcmp(inppblk.descr[i].name, "defaulttz")) {
@@ -468,13 +469,13 @@ CODESTARTnewInpInst
} else if(!strcmp(inppblk.descr[i].name, "ruleset")) {
inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
} else if(!strcmp(inppblk.descr[i].name, "supportoctetcountedframing")) {
- inst->bSuppOctetFram = (int) pvals[i].val.d.n;
+ inst->cnf_params->bSuppOctetFram = (int) pvals[i].val.d.n;
} else if(!strcmp(inppblk.descr[i].name, "ratelimit.burst")) {
inst->ratelimitBurst = (unsigned int) pvals[i].val.d.n;
} else if(!strcmp(inppblk.descr[i].name, "ratelimit.interval")) {
inst->ratelimitInterval = (unsigned int) pvals[i].val.d.n;
} else if(!strcmp(inppblk.descr[i].name, "listenportfilename")) {
- inst->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ inst->cnf_params->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
} else {
dbgprintf("imtcp: program error, non-handled "
"param '%s'\n", inppblk.descr[i].name);
@@ -656,7 +657,7 @@ std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, insta
{
LogError(0, NO_ERRCODE, "imtcp: ruleset '%s' for port %s not found - "
"using default ruleset instead", inst->pszBindRuleset,
- inst->pszBindPort);
+ inst->cnf_params->pszPort);
}
BEGINcheckCnf
@@ -664,8 +665,8 @@ BEGINcheckCnf
CODESTARTcheckCnf
for(inst = pModConf->root ; inst != NULL ; inst = inst->next) {
std_checkRuleset(pModConf, inst);
- if(inst->bSuppOctetFram == FRAMING_UNSET)
- inst->bSuppOctetFram = pModConf->bSuppOctetFram;
+ if(inst->cnf_params->bSuppOctetFram == FRAMING_UNSET)
+ inst->cnf_params->bSuppOctetFram = pModConf->bSuppOctetFram;
}
if(pModConf->root == NULL) {
LogError(0, RS_RET_NO_LISTNERS , "imtcp: module loaded, but "
@@ -713,12 +714,9 @@ CODESTARTfreeCnf
free(pModConf->permittedPeers);
}
for(inst = pModConf->root ; inst != NULL ; ) {
- free(inst->pszBindPort);
- free(inst->pszLstnPortFileName);
- free(inst->pszBindAddr);
- free(inst->pszBindRuleset);
- free(inst->pszInputName);
- free(inst->dfltTZ);
+ free((void*)inst->pszBindRuleset);
+ free((void*)inst->pszInputName);
+ free((void*)inst->dfltTZ);
del = inst;
inst = inst->next;
free(del);
diff --git a/runtime/netstrm.c b/runtime/netstrm.c
index 8a394a02eb..2c1db46378 100644
--- a/runtime/netstrm.c
+++ b/runtime/netstrm.c
@@ -12,12 +12,18 @@
* to carry out its work (including, and most importantly, transport
* drivers).
*
+ * Note on processing:
+ * - Initiating a listener may be driver-specific, but in regard to TLS/non-TLS
+ * it actually is not. This is because TLS is negotiated after a connection
+ * has been established. So it is the "acceptConnReq" driver entry where TLS
+ * params need to be applied.
+ *
* Work on this module begun 2008-04-17 by Rainer Gerhards. This code
* borrows from librelp's tcp.c/.h code. librelp is dual licensed and
* Rainer Gerhards and Adiscon GmbH have agreed to permit using the code
* under the terms of the GNU Lesser General Public License.
*
- * Copyright 2007-2009 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
*
* This file is part of the rsyslog runtime library.
*
@@ -134,18 +140,17 @@ AcceptConnReq(netstrm_t *pThis, netstrm_t **ppNew)
* pLstnPort must point to a port name or number. NULL is NOT permitted.
* rgerhards, 2008-04-22
*/
-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
- uchar *pszLstnPortFileName)
+ const int iSessMax, const tcpLstnParams_t *const cnf_params)
{
DEFiRet;
ISOBJ_TYPE_assert(pNS, netstrms);
assert(fAddLstn != NULL);
- assert(pLstnPort != NULL);
+ assert(cnf_params->pszPort != NULL);
- CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName));
+ CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params));
finalize_it:
RETiRet;
diff --git a/runtime/netstrm.h b/runtime/netstrm.h
index 2e28d7e2e6..4ca35805e7 100644
--- a/runtime/netstrm.h
+++ b/runtime/netstrm.h
@@ -1,6 +1,6 @@
/* Definitions for the stream-based netstrmworking class.
*
- * Copyright 2007, 2008 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
*
* This file is part of the rsyslog runtime library.
*
@@ -24,6 +24,7 @@
#ifndef INCLUDED_NETSTRM_H
#define INCLUDED_NETSTRM_H
+#include "tcpsrv.h"
#include "netstrms.h"
/* the netstrm object */
@@ -31,6 +32,7 @@ struct netstrm_s {
BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */
nsd_t *pDrvrData; /**< the driver's data elements (at most other places, this is called pNsd) */
nsd_if_t Drvr; /**< our stream driver */
+ uchar *pszDrvrAuthMode; /**< auth mode of the stream driver to use */
void *pUsr; /**< pointer to user-provided data structure */
netstrms_t *pNS; /**< pointer to our netstream subsystem object */
};
@@ -76,8 +78,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl);
rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString);
/* v11 -- Parameter pszLstnFileName added to LstnInit*/
- rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+ rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+ const int iSessMax, const tcpLstnParams_t *const cnf_params);
/* v12 -- two new binary flags added to gtls driver enabling stricter operation */
rsRetVal (*SetDrvrCheckExtendedKeyUsage)(netstrm_t *pThis, int ChkExtendedKeyUsage);
rsRetVal (*SetDrvrPrioritizeSAN)(netstrm_t *pThis, int prioritizeSan);
diff --git a/runtime/nsd.h b/runtime/nsd.h
index e862348fd6..eecffed05e 100644
--- a/runtime/nsd.h
+++ b/runtime/nsd.h
@@ -84,8 +84,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime);
rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString);
/* v12 -- parameter pszLstnPortFileName added to LstnInit()*/
- rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+ rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+ const int iSessMax, const tcpLstnParams_t *const cnf_params);
/* v13 -- two new binary flags added to gtls driver enabling stricter operation */
rsRetVal (*SetCheckExtendedKeyUsage)(nsd_t *pThis, int ChkExtendedKeyUsage);
rsRetVal (*SetPrioritizeSAN)(nsd_t *pThis, int prioritizeSan);
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index da90c2e096..55f6713d62 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -1692,14 +1692,13 @@ Abort(nsd_t *pNsd)
* a session, but not during listener setup.
* gerhards, 2008-04-25
*/
-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
- uchar *pszLstnPortFileName)
+ const int iSessMax, const tcpLstnParams_t *const cnf_params)
{
DEFiRet;
CHKiRet(gtlsGlblInitLstn());
- iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName);
+ iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
finalize_it:
RETiRet;
}
@@ -1785,6 +1784,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
FINALIZE;
}
/* copy Properties to pnew first */
+dbgprintf("RGER: pThis %p pNew %p, authMode %d\n", pThis, pNew, pThis->authMode);
pNew->authMode = pThis->authMode;
pNew->permitExpiredCerts = pThis->permitExpiredCerts;
pNew->pPermPeers = pThis->pPermPeers;
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 431ea738b8..79347916e4 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -1308,16 +1308,15 @@ Abort(nsd_t *pNsd)
*/
static rsRetVal
LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName)
+ const int iSessMax, const tcpLstnParams_t *const cnf_params)
{
DEFiRet;
dbgprintf("LstnInit for openssl: entering LstnInit (%p) for %s:%s SessMax=%d\n",
- fAddLstn, pLstnIP, pLstnPort, iSessMax);
+ fAddLstn, cnf_params->pszAddr, cnf_params->pszPort, iSessMax);
/* Init TCP Listener using base ptcp class */
- iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP,
- iSessMax, pszLstnPortFileName);
+ iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
RETiRet;
}
diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
index c35138fb7a..2f9e77ba03 100644
--- a/runtime/nsd_ptcp.c
+++ b/runtime/nsd_ptcp.c
@@ -474,10 +474,9 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
* number of sessions permitted.
* rgerhards, 2008-04-22
*/
-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
- uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
- uchar *pszLstnPortFileName)
+ const int iSessMax, const tcpLstnParams_t *const cnf_params)
{
DEFiRet;
netstrm_t *pNewStrm = NULL;
@@ -497,20 +496,20 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
ISOBJ_TYPE_assert(pNS, netstrms);
assert(fAddLstn != NULL);
- assert(pLstnPort != NULL);
+ assert(cnf_params->pszPort != NULL);
assert(iSessMax >= 0);
- dbgprintf("creating tcp listen socket on port %s\n", pLstnPort);
+ dbgprintf("creating tcp listen socket on port %s\n", cnf_params->pszPort);
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_PASSIVE;
hints.ai_family = glbl.GetDefPFFamily();
hints.ai_socktype = SOCK_STREAM;
- error = getaddrinfo((char*)pLstnIP, (char*) pLstnPort, &hints, &res);
+ error = getaddrinfo((const char*)cnf_params->pszAddr, (const char*) cnf_params->pszPort, &hints, &res);
if(error) {
LogError(0, RS_RET_INVALID_PORT, "error querying port '%s': %s",
- pLstnPort, gai_strerror(error));
+ cnf_params->pszAddr, gai_strerror(error));
ABORT_FINALIZE(RS_RET_INVALID_PORT);
}
@@ -622,9 +621,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
r->ai_addrlen = socklen_r;
savecast.sa = (struct sockaddr*)r->ai_addr;
port_override = (isIPv6) ? savecast.ipv6->sin6_port : savecast.ipv4->sin_port;
- if(pszLstnPortFileName != NULL) {
+ if(cnf_params->pszLstnPortFileName != NULL) {
FILE *fp;
- if((fp = fopen((const char*)pszLstnPortFileName, "w+")) == NULL) {
+ if((fp = fopen((const char*)cnf_params->pszLstnPortFileName, "w+")) == NULL) {
LogError(errno, RS_RET_IO_ERROR, "nsd_ptcp: ListenPortFileName: "
"error while trying to open file");
ABORT_FINALIZE(RS_RET_IO_ERROR);
diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h
index 137b7c3ce7..1c91718c19 100644
--- a/runtime/nsd_ptcp.h
+++ b/runtime/nsd_ptcp.h
@@ -1,6 +1,6 @@
/* An implementation of the nsd interface for plain tcp sockets.
*
- * Copyright 2007-2012 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
*
* This file is part of the rsyslog runtime library.
*
@@ -23,6 +23,7 @@
#define INCLUDED_NSD_PTCP_H
#include <sys/socket.h>
+#include "tcpsrv.h"
#include "nsd.h"
typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */
diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
index 58528c81ec..845e944582 100644
--- a/runtime/tcps_sess.c
+++ b/runtime/tcps_sess.c
@@ -194,8 +194,8 @@ SetLstnInfo(tcps_sess_t *pThis, tcpLstnPortList_t *pLstnInfo)
assert(pLstnInfo != NULL);
pThis->pLstnInfo = pLstnInfo;
/* set cached elements */
- pThis->bSuppOctetFram = pLstnInfo->bSuppOctetFram;
- pThis->bSPFramingFix = pLstnInfo->bSPFramingFix;
+ pThis->bSuppOctetFram = pLstnInfo->cnf_params->bSuppOctetFram;
+ pThis->bSPFramingFix = pLstnInfo->cnf_params->bSPFramingFix;
RETiRet;
}
@@ -235,6 +235,7 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
DEFiRet;
ISOBJ_TYPE_assert(pThis, tcps_sess);
+ const tcpLstnParams_t *const cnf_params = pThis->pLstnInfo->cnf_params;
if(pThis->iMsg == 0) {
DBGPRINTF("discarding zero-sized message\n");
@@ -249,15 +250,15 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
/* we now create our own message object and submit it to the queue */
CHKiRet(msgConstructWithTime(&pMsg, stTime, ttGenTime));
MsgSetRawMsg(pMsg, (char*)pThis->pMsg, pThis->iMsg);
- MsgSetInputName(pMsg, pThis->pLstnInfo->pInputName);
- if(pThis->pLstnInfo->dfltTZ[0] != '\0')
- MsgSetDfltTZ(pMsg, (char*) pThis->pLstnInfo->dfltTZ);
+ MsgSetInputName(pMsg, cnf_params->pInputName);
+ if(cnf_params->dfltTZ[0] != '\0')
+ MsgSetDfltTZ(pMsg, (char*) cnf_params->dfltTZ);
MsgSetFlowControlType(pMsg, pThis->pSrv->bUseFlowControl
? eFLOWCTL_LIGHT_DELAY : eFLOWCTL_NO_DELAY);
pMsg->msgFlags = NEEDS_PARSING | PARSE_HOSTNAME;
MsgSetRcvFrom(pMsg, pThis->fromHost);
CHKiRet(MsgSetRcvFromIP(pMsg, pThis->fromHostIP));
- MsgSetRuleset(pMsg, pThis->pLstnInfo->pRuleset);
+ MsgSetRuleset(pMsg, cnf_params->pRuleset);
STATSCOUNTER_INC(pThis->pLstnInfo->ctrSubmit, pThis->pLstnInfo->mutCtrSubmit);
ratelimitAddMsg(pThis->pLstnInfo->ratelimiter, pMultiSub, pMsg);
diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
index 76a50357c3..ab9573e5b8 100644
--- a/runtime/tcpsrv.c
+++ b/runtime/tcpsrv.c
@@ -123,9 +123,7 @@ static int wrkrRunning;
* rgerhards, 2009-05-21
*/
static rsRetVal ATTR_NONNULL(1, 2)
-addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
- const int bSuppOctetFram, const uchar *const pszAddr,
- const uchar *const pszLstnPortFileName)
+addNewLstnPort(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
{
tcpLstnPortList_t *pEntry;
uchar statname[64];
@@ -135,25 +133,17 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
/* create entry */
CHKmalloc(pEntry = (tcpLstnPortList_t*)calloc(1, sizeof(tcpLstnPortList_t)));
- CHKmalloc(pEntry->pszPort = ustrdup(pszPort));
+ pEntry->cnf_params = cnf_params;
- pEntry->pszAddr = NULL;
- /* only if a bind adress is defined copy it in struct */
- if (pszAddr != NULL) {
- CHKmalloc(pEntry->pszAddr = ustrdup(pszAddr));
- }
-
- strcpy((char*)pEntry->dfltTZ, (char*)pThis->dfltTZ);
- pEntry->bSPFramingFix = pThis->bSPFramingFix;
+ strcpy((char*)pEntry->cnf_params->dfltTZ, (char*)pThis->dfltTZ);
+ pEntry->cnf_params->bSPFramingFix = pThis->bSPFramingFix;
+ pEntry->cnf_params->pRuleset = pThis->pRuleset;
pEntry->pSrv = pThis;
- pEntry->pRuleset = pThis->pRuleset;
- pEntry->bSuppOctetFram = bSuppOctetFram;
- pEntry->pszLstnPortFileName = pszLstnPortFileName;
/* we need to create a property */
- CHKiRet(prop.Construct(&pEntry->pInputName));
- CHKiRet(prop.SetString(pEntry->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
- CHKiRet(prop.ConstructFinalize(pEntry->pInputName));
+ CHKiRet(prop.Construct(&pEntry->cnf_params->pInputName));
+ CHKiRet(prop.SetString(pEntry->cnf_params->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+ CHKiRet(prop.ConstructFinalize(pEntry->cnf_params->pInputName));
/* support statistics gathering */
CHKiRet(ratelimitNew(&pEntry->ratelimiter, "tcperver", NULL));
@@ -161,7 +151,7 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
ratelimitSetThreadSafe(pEntry->ratelimiter);
CHKiRet(statsobj.Construct(&(pEntry->stats)));
- snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, pszPort);
+ snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, cnf_params->pszPort);
statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */
CHKiRet(statsobj.SetName(pEntry->stats, statname));
CHKiRet(statsobj.SetOrigin(pEntry->stats, pThis->pszOrigin));
@@ -177,10 +167,8 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
finalize_it:
if(iRet != RS_RET_OK) {
if(pEntry != NULL) {
- free(pEntry->pszAddr);
- free(pEntry->pszPort);
- if(pEntry->pInputName != NULL) {
- prop.Destruct(&pEntry->pInputName);
+ if(pEntry->cnf_params->pInputName != NULL) {
+ prop.Destruct(&pEntry->cnf_params->pInputName);
}
if(pEntry->ratelimiter != NULL) {
ratelimitDestruct(pEntry->ratelimiter);
@@ -201,29 +189,25 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
* rgerhards, 2008-03-20
*/
static rsRetVal ATTR_NONNULL(1,2)
-configureTCPListen(tcpsrv_t *const pThis,
- const uchar *const pszPort,
- const int bSuppOctetFram,
- const uchar *const pszAddr,
- const uchar *const pszLstnPortFileName)
+configureTCPListen(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
{
+ assert(cnf_params->pszPort != NULL);
int i;
- const uchar *pPort = pszPort;
DEFiRet;
- assert(pszPort != NULL);
ISOBJ_TYPE_assert(pThis, tcpsrv);
/* extract port */
+ const uchar *pPort = cnf_params->pszPort;
i = 0;
while(isdigit((int) *pPort)) {
i = i * 10 + *pPort++ - '0';
}
if(i >= 0 && i <= 65535) {
- CHKiRet(addNewLstnPort(pThis, pszPort, bSuppOctetFram, pszAddr, pszLstnPortFileName));
+ CHKiRet(addNewLstnPort(pThis, cnf_params));
} else {
- LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", pszPort);
+ LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", cnf_params->pszPort);
}
finalize_it:
@@ -331,8 +315,11 @@ deinit_tcp_listener(tcpsrv_t *const pThis)
/* free list of tcp listen ports */
pEntry = pThis->pLstnPorts;
while(pEntry != NULL) {
- free(pEntry->pszPort);
- prop.Destruct(&pEntry->pInputName);
+ prop.Destruct(&pEntry->cnf_params->pInputName);
+ free((void*)pEntry->cnf_params->pszPort);
+ free((void*)pEntry->cnf_params->pszAddr);
+ free((void*)pEntry->cnf_params->pszLstnPortFileName);
+ free((void*)pEntry->cnf_params);
ratelimitDestruct(pEntry->ratelimiter);
statsobj.Destruct(&(pEntry->stats));
pDel = pEntry;
@@ -373,22 +360,21 @@ addTcpLstn(void *pUsr, netstrm_t *pLstn)
/* Initialize TCP listener socket for a single port
+ * Note: at this point, TLS vs. non-TLS does not matter; TLS params are
+ * set on connect!
* rgerhards, 2009-05-21
*/
static rsRetVal
initTCPListener(tcpsrv_t *pThis, tcpLstnPortList_t *pPortEntry)
{
DEFiRet;
- uchar *TCPLstnPort;
ISOBJ_TYPE_assert(pThis, tcpsrv);
assert(pPortEntry != NULL);
- TCPLstnPort = pPortEntry->pszPort;
-
// pPortEntry->pszAddr = NULL ==> bind to all interfaces
- CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, TCPLstnPort,
- pPortEntry->pszAddr, pThis->iSessMax, (uchar*)pPortEntry->pszLstnPortFileName));
+ CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn,
+ pThis->iSessMax, pPortEntry->cnf_params));
finalize_it:
RETiRet;
@@ -408,11 +394,12 @@ create_tcp_socket(tcpsrv_t *pThis)
/* init all configured ports */
pEntry = pThis->pLstnPorts;
while(pEntry != NULL) {
+dbgprintf("RGER: configuring listener %p\n", pEntry);
localRet = initTCPListener(pThis, pEntry);
if(localRet != RS_RET_OK) {
LogError(0, localRet, "Could not create tcp listener, ignoring port "
- "%s bind-address %s.", pEntry->pszPort,
- (pEntry->pszAddr == NULL) ? "(null)" : (const char*)pEntry->pszAddr);
+ "%s bind-address %s.", pEntry->cnf_params->pszPort,
+ (pEntry->cnf_params->pszAddr == NULL) ? "(null)" : (const char*)pEntry->cnf_params->pszAddr);
}
pEntry = pEntry->pNext;
}
@@ -1236,15 +1223,6 @@ SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal)
RETiRet;
}
-static rsRetVal
-SetLstnPortFileName(tcpsrv_t *pThis, uchar *iVal)
-{
- DEFiRet;
- DBGPRINTF("tcpsrv: LstnPortFileName set to %s\n",
- (iVal == NULL) ? "(null)" : (const char*) iVal);
- pThis->pszLstnPortFileName = iVal;
- RETiRet;
-}
static rsRetVal
SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int))
@@ -1309,6 +1287,7 @@ SetDfltTZ(tcpsrv_t *const pThis, uchar *const tz)
{
DEFiRet;
ISOBJ_TYPE_assert(pThis, tcpsrv);
+dbgprintf("dfltTZ prev: %s\n", pThis->dfltTZ);
strncpy((char*)pThis->dfltTZ, (char*)tz, sizeof(pThis->dfltTZ));
pThis->dfltTZ[sizeof(pThis->dfltTZ)-1] = '\0';
RETiRet;
@@ -1557,7 +1536,6 @@ CODESTARTobjQueryInterface(tcpsrv)
pIf->SetKeepAliveProbes = SetKeepAliveProbes;
pIf->SetKeepAliveTime = SetKeepAliveTime;
pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;
- pIf->SetLstnPortFileName = SetLstnPortFileName;
pIf->SetUsrP = SetUsrP;
pIf->SetInputName = SetInputName;
pIf->SetOrigin = SetOrigin;
diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h
index db5a1d110a..bae7e3b8b9 100644
--- a/runtime/tcpsrv.h
+++ b/runtime/tcpsrv.h
@@ -1,6 +1,6 @@
/* Definitions for tcpsrv class.
*
- * Copyright 2008-2015 Adiscon GmbH.
+ * Copyright 2008-2020 Adiscon GmbH.
*
* This file is part of rsyslog.
*
@@ -23,6 +23,7 @@
#include "obj.h"
#include "prop.h"
+#include "net.h"
#include "tcps_sess.h"
#include "statsobj.h"
@@ -34,19 +35,24 @@ typedef enum ETCPsyslogFramingAnomaly {
} eTCPsyslogFramingAnomaly;
+/* config parameters for TCP listeners */
+struct tcpLstnParams_s {
+ const uchar *pszPort; /**< the ports the listener shall listen on */
+ const uchar *pszAddr; /**< the addrs the listener shall listen on */
+ sbool bSuppOctetFram; /**< do we support octect-counted framing? (if no->legay only!)*/
+ sbool bSPFramingFix; /**< support work-around for broken Cisco ASA framing? */
+ const uchar *pszLstnPortFileName; /**< File in which the dynamic port is written */
+ prop_t *pInputName;
+ ruleset_t *pRuleset; /**< associated ruleset */
+ uchar dfltTZ[8]; /**< default TZ if none in timestamp; '\0' =No Default */
+};
+
/* list of tcp listen ports */
struct tcpLstnPortList_s {
- uchar *pszPort; /**< the ports the listener shall listen on */
- uchar *pszAddr; /**< the addrs the listener shall listen on */
- prop_t *pInputName;
+ tcpLstnParams_t *cnf_params; /**< listener config parameters */
tcpsrv_t *pSrv; /**< pointer to higher-level server instance */
- ruleset_t *pRuleset; /**< associated ruleset */
statsobj_t *stats; /**< associated stats object */
- sbool bSuppOctetFram; /**< do we support octect-counted framing? (if no->legay only!)*/
ratelimit_t *ratelimiter;
- uchar dfltTZ[8]; /**< default TZ if none in timestamp; '\0' =No Default */
- sbool bSPFramingFix; /**< support work-around for broken Cisco ASA framing? */
- const uchar *pszLstnPortFileName; /**< File in which the dynamic port is written */
STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit)
tcpLstnPortList_t *pNext; /**< next port or NULL */
};
@@ -130,8 +136,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
rsRetVal (*Construct)(tcpsrv_t **ppThis);
rsRetVal (*ConstructFinalize)(tcpsrv_t __attribute__((unused)) *pThis);
rsRetVal (*Destruct)(tcpsrv_t **ppThis);
- rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*,
- const uchar *pszPort, int bSuppOctetFram, const uchar *pszAddr, const uchar *);
+ rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, tcpLstnParams_t *const cnf_params);
rsRetVal (*create_tcp_socket)(tcpsrv_t *pThis);
rsRetVal (*Run)(tcpsrv_t *pThis);
/* set methods */
@@ -188,8 +193,6 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*);
/* added v21 -- Preserve case in fromhost, 2018-08-16 */
rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase);
- /* added v22 -- File for dynamic Port, 2018-08-29 */
- rsRetVal (*SetLstnPortFileName)(tcpsrv_t*, uchar*);
/* added v23 -- Options for stricter driver behavior, 2019-08-16 */
rsRetVal (*SetDrvrCheckExtendedKeyUsage)(tcpsrv_t *pThis, int ChkExtendedKeyUsage);
rsRetVal (*SetDrvrPrioritizeSAN)(tcpsrv_t *pThis, int prioritizeSan);
diff --git a/runtime/typedefs.h b/runtime/typedefs.h
index 06f5c25a8c..000b4da4fe 100644
--- a/runtime/typedefs.h
+++ b/runtime/typedefs.h
@@ -123,6 +123,7 @@ typedef int rs_size_t; /* we do never need more than 2Gig strings, signed permit
typedef rsRetVal (*prsf_t)(struct vmstk_s*, int); /* pointer to a RainerScript function */
typedef uint64 qDeqID; /* queue Dequeue order ID. 32 bits is considered dangerously few */
+typedef struct tcpLstnParams_s tcpLstnParams_t;
typedef struct tcpLstnPortList_s tcpLstnPortList_t; // TODO: rename?
typedef struct strmLstnPortList_s strmLstnPortList_t; // TODO: rename?
typedef struct actWrkrIParams actWrkrIParams_t;

11
SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-07-28 11:11:36.253771848 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-07-28 11:11:57.628795339 +0200
@@ -1571,6 +1571,7 @@ initAll(int argc, char **argv)
capabilities_t capabilities[] = {
#define CAP_FIELD(code) { code, #code, 0 }
CAP_FIELD(CAP_BLOCK_SUSPEND),
+ CAP_FIELD(CAP_NET_RAW),
CAP_FIELD(CAP_CHOWN),
CAP_FIELD(CAP_IPC_LOCK),
CAP_FIELD(CAP_LEASE),

124
SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch
Unescape View File

@ -0,0 +1,124 @@
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index e55b014b2c..431ea738b8 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
/* Loop through ERR_get_error */
while ((un_error = ERR_get_error()) > 0){
- LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+ LogMsg(0, RS_RET_NO_ERRCODE, severity,
+ "nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
}
}
@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
if(pThis->bReportAuthErr == 1) {
errno = 0;
LogError(0, RS_RET_INVALID_FINGERPRINT,
- "nsd_ossl:error:"
- " peer fingerprint '%s' unknown - we are "
- "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+ "nsd_ossl:error: peer fingerprint '%s' unknown - we are "
+ "not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
pThis->bReportAuthErr = 0;
}
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
cstrFinalize(pStr);
errno = 0;
LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized - "
- "not permitted to talk to it. Names: %s",
- cstrGetSzStrNoNULL(pStr));
+ "not permitted to talk to it. Names: %s",
+ cstrGetSzStrNoNULL(pStr));
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
pThis->bReportAuthErr = 0;
}
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
if(pThis->bReportAuthErr == 1) {
errno = 0;
LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
- "not permitted to talk to it");
+ "not permitted to talk to it");
pThis->bReportAuthErr = 0;
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
}
ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
}
@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
LogError(0, RS_RET_CERT_EXPIRED,
- "nsd_ossl:CertValidity check"
-"- not permitted to talk to peer: certificate expired: %s",
+ "nsd_ossl:CertValidity check - not permitted to talk to peer: "
+ "certificate expired: %s",
X509_verify_cert_error_string(iVerErr));
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
- "nsd_ossl:CertValidity check"
-"- warning talking to peer: certificate expired: %s",
+ "nsd_ossl:CertValidity check - warning talking to peer: "
+ "certificate expired: %s",
X509_verify_cert_error_string(iVerErr));
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
} else {
dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
X509_verify_cert_error_string(iVerErr));
@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
} else {
LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
ABORT_FINALIZE(RS_RET_CERT_INVALID);
}
} else {
@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
-"No shared curve between syslog client and server.");
+ "No shared curve between syslog client and server.");
}
#endif
sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
resErr == SSL_ERROR_WANT_WRITE) {
pNsd->rtryCall = osslRtry_handshake;
pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
-"TLS handshake failed between syslog client and server.");
dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
"immediately - setting to retry (this is OK and normal)\n");
FINALIZE;
@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
} else {
osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+ "nsd_ossl:TLS session terminated with remote syslog server.");
ABORT_FINALIZE(RS_RET_NO_ERRCODE);
}
}
@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
- LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
-"TLS Connection initiated with remote syslog server.");
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ "TLS Connection initiated with remote syslog server.");
/*if we reach this point we are in tls mode */
DBGPRINTF("Connect: TLS Mode\n");
if(!(pThis->ssl = SSL_new(ctx))) {

25
SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
Unescape View File

@ -0,0 +1,25 @@
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 79347916e4..69ec57af09 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -1821,11 +1821,8 @@ BIO_set_nbio( conn, 1 );
}
-/* Empty wrapper for GNUTLS helper function
- * TODO: implement a similar capability
- */
static rsRetVal
-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString)
+SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString)
{
DEFiRet;
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
@@ -1905,6 +1902,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus
pThis->gnutlsPriorityString);
osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
}
+ SSL_CONF_CTX_free(cctx);
}
#else
dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);

6
SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch → SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up ./rsyslog-8.2102.0/runtime/nsd_gtls.c.ori ./rsyslog-8.2102.0/runtime/nsd_gtls.c
--- rsyslog-8.2102.0/runtime/nsd_gtls.c.ori 2022-01-17 15:50:08.285827256 +0100
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2022-01-17 15:52:33.282594512 +0100
diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig 2021-11-22 09:33:25.501668376 +0100
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2021-11-22 09:34:18.423642573 +0100
@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;

14
SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
Unescape View File

@ -0,0 +1,14 @@
diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2021-06-28 09:05:23.283262154 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2021-06-28 09:10:05.858381106 +0200
@@ -424,8 +424,8 @@ readjournal(void)
severity = cs.iDfltSeverity;
}
} else {
- LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an "
- "unexpected length: %zu\n", length);
+ DBGPRINTF("The value of the 'PRIORITY' field has an "
+ "unexpected length: %zu value: '%s'\n", length, (const char*)get);
}
}

163
SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch
Unescape View File

@ -1,163 +0,0 @@
diff -up rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan rsyslog-8.2102.0/contrib/imdocker/imdocker.c
--- rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/contrib/imdocker/imdocker.c 2021-07-22 14:10:31.877231143 +0200
@@ -1527,6 +1527,7 @@ process_json(sbool isInit, const char* j
pInstances->last_container_id,
(unsigned)pInstances->last_container_created);
}
+ // coverity[leaked_storage : FALSE]
CHKiRet(dockerContLogsInstSetUrlById(isInit, pInst,
pInstances->curlm, containerId));
CHKiRet(dockerContLogReqsAdd(pInstances, pInst));
diff -up rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c
--- rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan 2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c 2021-07-22 14:10:31.877231143 +0200
@@ -324,7 +324,6 @@ BEGINnewActInst
struct cnfparamvals *pvals;
int i;
int iNumTpls;
- uchar *keydup = NULL;
CODESTARTnewActInst
if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL)
ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
@@ -417,14 +416,11 @@ CODESTARTnewActInst
CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)pData->tplName, OMSR_NO_RQD_TPL_OPTS));
if (pData->dynaKey) {
- CHKmalloc(keydup = ustrdup(pData->key));
CHKiRet(OMSRsetEntry(*ppOMSR, 1, ustrdup(pData->key), OMSR_NO_RQD_TPL_OPTS));
- keydup = NULL; /* handed over */
}
CODE_STD_FINALIZERnewActInst
cnfparamvalsDestruct(pvals, &actpblk);
- free(keydup);
ENDnewActInst
diff -up rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c
--- rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c 2021-07-22 14:10:31.877231143 +0200
@@ -778,6 +778,7 @@ static rsRetVal publishRabbitMQ(wrkrInst
ABORT_FINALIZE(RS_RET_RABBITMQ_CONN_ERR);
}
+ // coverity[identical_branches : FALSE]
if (manage_error(amqp_basic_publish(self->a_conn, 1, exchange, routing_key,
0, 0, p_amqp_props, body_bytes), "amqp_basic_publish")) {
/* error already notified */
diff -up rsyslog-8.2102.0/grammar/rainerscript.c.covscan rsyslog-8.2102.0/grammar/rainerscript.c
--- rsyslog-8.2102.0/grammar/rainerscript.c.covscan 2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0/grammar/rainerscript.c 2021-07-22 14:10:31.878231140 +0200
@@ -2814,7 +2814,7 @@ evalVar(struct cnfvar *__restrict__ cons
if(bMustBeFreed)
free(pszProp);
}
-
+ // coverity[leaked_storage : FALSE]
}
/* perform a string comparision operation against a while array. Semantic is
diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan rsyslog-8.2102.0/plugins/imfile/imfile.c
--- rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/plugins/imfile/imfile.c 2021-07-22 14:10:31.878231140 +0200
@@ -1278,6 +1278,7 @@ static void ATTR_NONNULL(1)
getFileID(act_obj_t *const act)
{
char tmp_id[FILE_ID_HASH_SIZE];
+ // coverity[buffer_size_warning : FALSE]
strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
act->file_id[0] = '\0';
assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
@@ -1290,6 +1291,7 @@ getFileID(act_obj_t *const act)
DBGPRINTF("getFileID partial or error read, ret %d\n", r);
}
if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
+ // coverity[buffer_size_warning : FALSE]
strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
}
DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
@@ -1544,6 +1546,7 @@ openFileWithoutStateFile(act_obj_t *cons
const int fd = open(act->name, O_RDONLY | O_CLOEXEC);
if(fd >= 0) {
act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END);
+ close(fd);
if(act->pStrm->iCurrOffs < 0) {
act->pStrm->iCurrOffs = 0;
LogError(errno, RS_RET_ERR, "imfile: could not query current "
diff -up rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan rsyslog-8.2102.0/plugins/imptcp/imptcp.c
--- rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/plugins/imptcp/imptcp.c 2021-07-22 14:10:31.878231140 +0200
@@ -1920,6 +1920,7 @@ lstnActivity(ptcplstn_t *const pLstn)
}
finalize_it:
+ // coverity[leaked_handle : FALSE]
RETiRet;
}
diff -up rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c
--- rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan 2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c 2021-07-22 14:10:31.879231138 +0200
@@ -394,7 +394,7 @@ CODEmodInit_QueryRegCFSLineHdlr
ABORT_FINALIZE(RS_RET_NO_MSG_PASSING);
}
-
+ // coverity[identical_branches : FALSE]
CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
ENDmodInit
diff -up rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c
--- rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan 2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c 2021-07-22 14:10:31.879231138 +0200
@@ -368,6 +368,7 @@ writeDataError(wrkrInstanceData_t *const
}
finalize_it:
+ // coverity[leaked_storage : FALSE]
RETiRet;
}
diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan rsyslog-8.2102.0/runtime/nsd_gtls.c
--- rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c 2021-07-22 14:17:06.183174167 +0200
@@ -227,7 +227,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
pThis->bOurKeyIsInit = 1;
CHKgnutls(gnutls_x509_privkey_import(pThis->ourKey, &data, GNUTLS_X509_FMT_PEM));
free(data.data);
-
+ data.data = NULL;
finalize_it:
if(iRet == RS_RET_CERTLESS) {
diff -up rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan rsyslog-8.2102.0/runtime/nsd_ptcp.c
--- rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan 2021-02-15 08:20:04.000000000 +0100
+++ rsyslog-8.2102.0/runtime/nsd_ptcp.c 2021-07-22 14:10:31.879231138 +0200
@@ -191,6 +191,7 @@ SetTlsVerifyDepth(nsd_t __attribute__((u
nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd;
DEFiRet;
ISOBJ_TYPE_assert((pThis), nsd_ptcp);
+ // coverity[identical_branches : FALSE]
if (verifyDepth == 0) {
FINALIZE;
}
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.covscan rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.covscan 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2021-07-22 14:10:31.879231138 +0200
@@ -293,6 +293,7 @@ writePidFile(void)
free((void*)tmpPidFile);
}
finalize_it:
+ // coverity[leaked_storage : FALSE]
RETiRet;
}
@@ -1026,6 +1027,7 @@ splitOversizeMessage(smsg_t *const pMsg)
/* if necessary, write partial last segment */
if(len_last_segment != 0) {
CHKmalloc(pMsg_seg = MsgDup(pMsg));
+ // coverity[copy_paste_error : FALSE]
MsgSetRawMsg(pMsg_seg, rawmsg + (nsegments * maxlen), len_last_segment);
submitMsg2(pMsg_seg);
}

22
SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch → SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
Unescape View File

@ -1,5 +1,5 @@
--- rsyslog-8.2102.0-ori/action.c 2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0-changes/action.c 2022-03-10 11:00:11.027242300 +0100
--- rsyslog-8.2102.0/action.c 2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0-changes/action.c 2022-03-08 15:55:33.989525382 +0100
@@ -198,6 +198,7 @@
{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
@ -17,22 +17,20 @@
pThis->pszExternalStateFile = NULL;
pThis->fdErrFile = -1;
pThis->bWriteAllMarkMsgs = 1;
@@ -1436,6 +1439,14 @@
@@ -1436,6 +1439,12 @@
pThis->pszName, pThis->pszErrFile);
goto done;
}
+ if (pThis->maxErrFileSize > 0) {
+ struct stat statbuf;
+ if (fstat(pThis->fdErrFile, &statbuf) == -1) {
+ LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
+ goto done;
+ }
+ pThis->errFileWritten += statbuf.st_size;
+ struct stat statbuf;
+ if (fstat(pThis->fdErrFile, &statbuf) == -1) {
+ LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
+ goto done;
+ }
+ pThis->errFileWritten += statbuf.st_size;
}
for(int i = 0 ; i < nparams ; ++i) {
@@ -1454,16 +1465,26 @@
@@ -1454,16 +1463,26 @@
char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
if(rendered == NULL)
goto done;
@ -69,7 +67,7 @@
}
free(rendered);
@@ -2048,6 +2069,8 @@
@@ -2048,6 +2067,8 @@
continue; /* this is handled seperately during module select! */
} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);

354
SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
Unescape View File

@ -0,0 +1,354 @@
diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2022-04-15 13:42:05.320615894 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-04-15 14:33:43.472482696 +0200
@@ -609,10 +609,10 @@ finalize_it:
}
static rsRetVal
-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
{
DEFiRet;
- BIO *client;
+ BIO *conn;
char pristringBuf[4096];
nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
if (pThis->DrvrVerifyDepth != 0) {
SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
}
- }
-
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
- /* Allow ANON Ciphers */
+ } else if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
+ /* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
/* NOTE: do never use: +eNULL, it DISABLES encryption! */
strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
}
}
- /* Create BIO from ptcp socket! */
- client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
- dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
- /* Set debug Callback for client BIO as well! */
- BIO_set_callback(client, BIO_debug_callback);
+ /* Create BIO from ptcp socket! */
+ conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+ dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( client, 1 );
+ /* Set debug Callback for conn BIO as well! */
+ BIO_set_callback(conn, BIO_debug_callback);
- SSL_set_bio(pThis->ssl, client, client);
- SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+ /* TODO: still needed? Set to NON blocking ! */
+ BIO_set_nbio( conn, 1 );
+ SSL_set_bio(pThis->ssl, conn, conn);
+ if (osslType == osslServer) {
+ /* Server Socket */
+ SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+ pThis->sslState = osslServer; /*set Server state */
+ } else {
+ /* Client Socket */
+ SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+ pThis->sslState = osslClient; /*set Client state */
+ }
pThis->bHaveSess = 1;
- pThis->sslState = osslServer; /*set Server state */
/* we are done */
FINALIZE;
@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
- /* Init Anon OpenSSL stuff */
- CHKiRet(osslAnonInit());
+ /* Init Anon OpenSSL stuff */
+ CHKiRet(osslAnonInit());
dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
- "No shared curve between syslog client and server.");
+ // This is not a failure
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ "Information, no shared curve between syslog client and server");
}
#endif
sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
pNew->permitExpiredCerts = pThis->permitExpiredCerts;
pNew->pPermPeers = pThis->pPermPeers;
pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
- CHKiRet(osslInitSession(pNew));
+ CHKiRet(osslInitSession(pNew, osslServer));
/* Store nsd_ossl_t* reference in SSL obj */
SSL_set_ex_data(pNew->ssl, 0, pThis);
@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
DEFiRet;
DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
- nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
- BIO *conn;
- char pristringBuf[4096];
ISOBJ_TYPE_assert(pThis, nsd_ossl);
assert(port != NULL);
@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
FINALIZE;
}
- /* Create BIO from ptcp socket! */
- conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
- dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
-
LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
"TLS Connection initiated with remote syslog server.");
/*if we reach this point we are in tls mode */
DBGPRINTF("Connect: TLS Mode\n");
- if(!(pThis->ssl = SSL_new(ctx))) {
- pThis->ssl = NULL;
- osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
- ABORT_FINALIZE(RS_RET_NO_ERRCODE);
- }
- // Set SSL_MODE_AUTO_RETRY to SSL obj
- SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
-
- if (pThis->authMode != OSSL_AUTH_CERTANON) {
- dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
- pThis->authMode, pThis->DrvrVerifyDepth);
- /* Enable certificate valid checking */
- SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
- if (pThis->DrvrVerifyDepth != 0) {
- SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
- }
- }
-
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
- /* Allow ANON Ciphers */
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
- sizeof(pristringBuf));
- #else
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
- sizeof(pristringBuf));
- #endif
-
- dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
- if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
- dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
- ABORT_FINALIZE(RS_RET_SYS_ERR);
- }
- }
-
- /* Set debug Callback for client BIO as well! */
- BIO_set_callback(conn, BIO_debug_callback);
-
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( conn, 1 );
-
- SSL_set_bio(pThis->ssl, conn, conn);
- SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
- pThis->sslState = osslClient; /*set Client state */
- pThis->bHaveSess = 1;
+ /* Do SSL Session init */
+ CHKiRet(osslInitSession(pThis, osslClient));
/* Store nsd_ossl_t* reference in SSL obj */
SSL_set_ex_data(pThis->ssl, 0, pThis);
@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
ISOBJ_TYPE_assert(pThis, nsd_ossl);
- pThis->gnutlsPriorityString = gnutlsPriorityString;
+ dbgprintf("gnutlsPriorityString: set to '%s'\n",
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
/* Skip function if function is NULL gnutlsPriorityString */
- if (gnutlsPriorityString == NULL) {
- RETiRet;
- } else {
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- char *pCurrentPos;
- char *pNextPos;
- char *pszCmd;
- char *pszValue;
- int iConfErr;
-
- /* Set working pointer */
- pCurrentPos = (char*) pThis->gnutlsPriorityString;
- if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
- // Create CTX Config Helper
- SSL_CONF_CTX *cctx;
- cctx = SSL_CONF_CTX_new();
- if (pThis->sslState == osslServer) {
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
- } else {
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
- }
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
- SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
-
- do
- {
- pNextPos = index(pCurrentPos, '=');
- if (pNextPos != NULL) {
- while ( *pCurrentPos != '\0' &&
- (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
- pCurrentPos++;
- pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
- pCurrentPos = pNextPos+1;
- pNextPos = index(pCurrentPos, '\n');
- pszValue = (pNextPos == NULL ?
- strdup(pCurrentPos) :
- strndup(pCurrentPos, pNextPos - pCurrentPos));
- pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
-
- /* Add SSL Conf Command */
- iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
- if (iConfErr > 0) {
- dbgprintf("gnutlsPriorityString: Successfully added Command "
- "'%s':'%s'\n",
- pszCmd, pszValue);
- }
- else {
- LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
- "in gnutlsPriorityString with error '%d'",
- pszCmd, pszValue, iConfErr);
- }
+ sbool ApplySettings = 0;
+ if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
+ (gnutlsPriorityString != NULL &&
+ strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
+ ) {
+ ApplySettings = 1;
+ }
+
+ pThis->gnutlsPriorityString = gnutlsPriorityString;
+ dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
+ (ApplySettings == 1? "TRUE" : "FALSE"));
- free(pszCmd);
- free(pszValue);
+ if (ApplySettings) {
+
+ if (gnutlsPriorityString == NULL || ctx == NULL) {
+ RETiRet;
+ } else {
+ dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+ char *pCurrentPos;
+ char *pNextPos;
+ char *pszCmd;
+ char *pszValue;
+ int iConfErr;
+
+ /* Set working pointer */
+ pCurrentPos = (char*) pThis->gnutlsPriorityString;
+ if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+ // Create CTX Config Helper
+ SSL_CONF_CTX *cctx;
+ cctx = SSL_CONF_CTX_new();
+ if (pThis->sslState == osslServer) {
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
} else {
- /* Abort further parsing */
- pCurrentPos = NULL;
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
}
- }
- while (pCurrentPos != NULL);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+
+ do
+ {
+ pNextPos = index(pCurrentPos, '=');
+ if (pNextPos != NULL) {
+ while ( *pCurrentPos != '\0' &&
+ (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+ pCurrentPos++;
+ pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+ pCurrentPos = pNextPos+1;
+ pNextPos = index(pCurrentPos, '\n');
+ pszValue = (pNextPos == NULL ?
+ strdup(pCurrentPos) :
+ strndup(pCurrentPos, pNextPos - pCurrentPos));
+ pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+
+ /* Add SSL Conf Command */
+ iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+ if (iConfErr > 0) {
+ dbgprintf("gnutlsPriorityString: Successfully added Command "
+ "'%s':'%s'\n",
+ pszCmd, pszValue);
+ }
+ else {
+ LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+ "in gnutlsPriorityString with error '%d'",
+ pszCmd, pszValue, iConfErr);
+ }
+
+ free(pszCmd);
+ free(pszValue);
+ } else {
+ /* Abort further parsing */
+ pCurrentPos = NULL;
+ }
+ }
+ while (pCurrentPos != NULL);
- /* Finalize SSL Conf */
- iConfErr = SSL_CONF_CTX_finish(cctx);
- if (!iConfErr) {
- LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
- "Open ssl error info may follow in next messages",
- pThis->gnutlsPriorityString);
- osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ /* Finalize SSL Conf */
+ iConfErr = SSL_CONF_CTX_finish(cctx);
+ if (!iConfErr) {
+ LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+ "Open ssl error info may follow in next messages",
+ pThis->gnutlsPriorityString);
+ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ }
+ SSL_CONF_CTX_free(cctx);
}
- SSL_CONF_CTX_free(cctx);
}
+ }
#else
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
- LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
- "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
- "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
- gnutlsPriorityString);
+ LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+ "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+ "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+ gnutlsPriorityString);
#endif
- }
RETiRet;
}

51
SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch
Unescape View File

@ -1,51 +0,0 @@
--- a/source/configuration/actions.rst 2020-01-13 09:35:54.000000000 +0100
+++ b/source/configuration/actions.rst 2022-03-09 10:46:23.945881936 +0100
@@ -90,6 +90,12 @@
provided to the action in question, the action name as well as
the rsyslog status code roughly explaining why it failed.
+- **action.errorfile.maxsize** integer
+
+ In some cases, error file needs to be limited in size.
+ This option allows specifying a maximum size, in bytes, for the error file.
+ When error file reaches that size, no more errors are written to it.
+
- **action.execOnlyOnceEveryInterval** integer
Execute action only if the last execute is at last seconds in the
--- a/build/_sources/configuration/actions.rst.txt 2020-01-13 09:35:54.000000000 +0100
+++ b/build/_sources/configuration/actions.rst.txt 2022-03-09 11:17:44.391213038 +0100
@@ -90,6 +90,12 @@
provided to the action in question, the action name as well as
the rsyslog status code roughly explaining why it failed.
+- **action.errorfile.maxsize** integer
+
+ In some cases, error file needs to be limited in size.
+ This option allows specifying a maximum size, in bytes, for the error file.
+ When error file reaches that size, no more errors are written to it.
+
- **action.execOnlyOnceEveryInterval** integer
Execute action only if the last execute is at last seconds in the
--- a/build/configuration/actions.html 2021-02-15 12:53:30.000000000 +0100
+++ b/build/configuration/actions.html 2022-03-09 11:27:04.035799702 +0100
@@ -122,6 +122,11 @@
provided to the action in question, the action name as well as
the rsyslog status code roughly explaining why it failed.</p>
</li>
+<li><p class="first"><strong>action.errorfile.maxsize</strong> integer</p>
+<p>In some cases, error file needs to be limited in size.
+This option allows specifying a maximum size, in bytes, for the error file.
+When error file reaches that size, no more errors are written to it.</p>
+</li>
<li><p class="first"><strong>action.execOnlyOnceEveryInterval</strong> integer</p>
<p>Execute action only if the last execute is at last seconds in the
past (more info in ommail, but may be used with any action)</p>
@@ -672,4 +677,4 @@
<div class="footer" role="contentinfo">
</div>
</body>
-</html>
\ No newline at end of file
+</html>

682
SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
Unescape View File

@ -1,682 +0,0 @@
--- rsyslog-8.2102.0.ori/runtime/glbl.h 2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/runtime/glbl.h 2022-09-06 11:13:31.538674778 +0200
@@ -72,6 +72,7 @@
SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
+ SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
SIMP_PROP(ParserDropTrailingLFOnReception, int)
SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
--- rsyslog-8.2102.0.ori/runtime/glbl.c 2022-09-06 10:37:26.440149338 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c 2022-09-06 11:12:06.198378210 +0200
@@ -122,6 +122,7 @@
static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
+static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
int bTerminateInputs = 0; /* global switch that inputs shall terminate ASAP (1=> terminate) */
static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
@@ -176,6 +177,7 @@
{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
+ { "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
{ "maxmessagesize", eCmdHdlrSize, 0 },
{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
{ "oversizemsg.report", eCmdHdlrBinary, 0 },
@@ -307,6 +309,8 @@
/* TODO: use custom function which frees existing value */
SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
/* TODO: use custom function which frees existing value */
+SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
+/* TODO: use custom function which frees existing value */
#undef SIMP_PROP
#undef SIMP_PROP_SET
@@ -830,6 +834,13 @@
return(pszDfltNetstrmDrvr == NULL ? DFLT_NETSTRM_DRVR : pszDfltNetstrmDrvr);
}
+/* return the additional ca extra files */
+static uchar*
+GetNetstrmDrvrCAExtraFiles(void)
+{
+ return(pszNetstrmDrvrCAExtraFiles);
+}
+
/* return the current default netstream driver CA File */
static uchar*
@@ -925,6 +936,7 @@
SIMP_PROP(DfltNetstrmDrvrCAF)
SIMP_PROP(DfltNetstrmDrvrKeyFile)
SIMP_PROP(DfltNetstrmDrvrCertFile)
+ SIMP_PROP(NetstrmDrvrCAExtraFiles)
#ifdef USE_UNLIMITED_SELECT
SIMP_PROP(FdSetSize)
#endif
@@ -945,6 +957,8 @@
pszDfltNetstrmDrvrKeyFile = NULL;
free(pszDfltNetstrmDrvrCertFile);
pszDfltNetstrmDrvrCertFile = NULL;
+ free(pszNetstrmDrvrCAExtraFiles);
+ pszNetstrmDrvrCAExtraFiles = NULL;
free(LocalHostNameOverride);
LocalHostNameOverride = NULL;
free(oversizeMsgErrorFile);
@@ -1350,6 +1364,9 @@
free(pszDfltNetstrmDrvr);
pszDfltNetstrmDrvr = (uchar*)
es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ } else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
+ free(pszNetstrmDrvrCAExtraFiles);
+ pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
} else if(!strcmp(paramblk.descr[i].name,
@@ -1546,6 +1563,8 @@
&pszDfltNetstrmDrvrKeyFile, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
&pszDfltNetstrmDrvrCertFile, NULL));
+ CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
+ &pszNetstrmDrvrCAExtraFiles, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
@@ -1579,6 +1598,7 @@
free(pszDfltNetstrmDrvrCAF);
free(pszDfltNetstrmDrvrKeyFile);
free(pszDfltNetstrmDrvrCertFile);
+ free(pszNetstrmDrvrCAExtraFiles);
free(pszWorkDir);
free(LocalDomain);
free(LocalHostName);
--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c 2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-09-06 11:25:18.144130340 +0200
@@ -88,6 +88,7 @@
static short bHaveCA;
static short bHaveCert;
static short bHaveKey;
+static short bHaveExtraCAFiles;
static int bAnonInit;
static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
@@ -413,7 +414,8 @@
{
DEFiRet;
DBGPRINTF("openssl: entering osslGlblInit\n");
- const char *caFile, *certFile, *keyFile;
+ const char *caFile, *certFile, *keyFile, *extraCaFile;
+ char *extraCaFiles;
/* Setup OpenSSL library */
if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
@@ -450,9 +452,27 @@
} else {
bHaveKey = 1;
}
+ extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
+ if(extraCaFiles == NULL) {
+ bHaveExtraCAFiles = 0;
+ } else {
+ bHaveExtraCAFiles = 1;
+ }
/* Create main CTX Object */
ctx = SSL_CTX_new(SSLv23_method());
+ if(bHaveExtraCAFiles == 1) {
+ while((extraCaFile = strsep(&extraCaFiles, ","))) {
+ if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
+ LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
+ "Check at least: 1) file path is correct, 2) file exist, "
+ "3) permissions are correct, 4) file content is correct. "
+ "Open ssl error info may follow in next messages");
+ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+ ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
+ }
+ }
+ }
if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
"Check at least: 1) file path is correct, 2) file exist, "
@@ -476,7 +496,7 @@
"Open ssl error info may follow in next messages");
osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
ABORT_FINALIZE(RS_RET_TLS_KEY_ERR);
- }
+ }
/* Set CTX Options */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); /* Disable insecure SSLv2 Protocol */
--- rsyslog-8.2102.0.ori/tests/Makefile.am 2022-09-06 10:37:26.447149363 +0200
+++ rsyslog-8.2102.0/tests/Makefile.am 2022-09-06 12:05:55.443600359 +0200
@@ -1247,7 +1247,8 @@
sndrcv_tls_ossl_servercert_gtls_clientanon.sh \
sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
- sndrcv_tls_gtls_serveranon_ossl_clientanon.sh
+ sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
+ sndrcv_ossl_cert_chain.sh
endif
endif
@@ -2575,6 +2576,7 @@
sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
+ sndrcv_ossl_cert_chain.sh \
omtcl.sh \
omtcl.tcl \
pmsnare-default.sh \
--- rsyslog-8.2102.0.ori/tests/sndrcv_ossl_cert_chain.sh 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/sndrcv_ossl_cert_chain.sh 2022-09-06 10:48:41.512496691 +0200
@@ -0,0 +1,76 @@
+#!/bin/bash
+# alorbach, 2019-01-16
+# This file is part of the rsyslog project, released under ASL 2.0
+. ${srcdir:=.}/diag.sh init
+export NUMMESSAGES=1000
+# uncomment for debugging support:
+#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
+export RSYSLOG_DEBUGLOG="log"
+generate_conf
+export PORT_RCVR="$(get_free_port)"
+### This is important, as it must be exactly the same
+### as the ones configured in used certificates
+export HOSTNAME="fedora"
+add_conf '
+global(
+ DefaultNetstreamDriver="ossl"
+ DefaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-cert.pem'"
+ DefaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/server-cert.pem'"
+ DefaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/server-key.pem'"
+ NetstreamDriverCAExtraFiles="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
+)
+
+module( load="../plugins/imtcp/.libs/imtcp"
+ StreamDriver.Name="ossl"
+ StreamDriver.Mode="1"
+ PermittedPeer="'$HOSTNAME'"
+ StreamDriver.AuthMode="x509/name" )
+# then SENDER sends to this port (not tcpflood!)
+input( type="imtcp" port="'$PORT_RCVR'" )
+
+$template outfmt,"%msg:F,58:2%\n"
+$template dynfile,"'$RSYSLOG_OUT_LOG'" # trick to use relative path names!
+:msg, contains, "msgnum:" ?dynfile;outfmt
+'
+startup
+export RSYSLOG_DEBUGLOG="log2"
+#valgrind="valgrind"
+generate_conf 2
+export TCPFLOOD_PORT="$(get_free_port)"
+add_conf '
+global(
+ defaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
+ defaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/client-cert.pem'"
+ defaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/client-key.pem'"
+)
+
+# Note: no TLS for the listener, this is for tcpflood!
+$ModLoad ../plugins/imtcp/.libs/imtcp
+input( type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" )
+
+# set up the action
+action( type="omfwd"
+ protocol="tcp"
+ target="127.0.0.1"
+ port="'$PORT_RCVR'"
+ StreamDriver="ossl"
+ StreamDriverMode="1"
+ StreamDriverAuthMode="x509/name"
+ StreamDriverPermittedPeers="'$HOSTNAME'"
+ )
+' 2
+startup 2
+
+# now inject the messages into instance 2. It will connect to instance 1,
+# and that instance will record the data.
+tcpflood -m$NUMMESSAGES -i1
+wait_file_lines
+# shut down sender when everything is sent, receiver continues to run concurrently
+shutdown_when_empty 2
+wait_shutdown 2
+# now it is time to stop the receiver as well
+shutdown_when_empty
+wait_shutdown
+
+seq_check 1 $NUMMESSAGES
+exit_test
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem 2022-09-06 10:48:41.513496694 +0200
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
+MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
+M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
+MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
+sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
+2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
+nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
+gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
+LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
+BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
+HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
+dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
+FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
+uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
+ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
+wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
+OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
+9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
+DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
+jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
+-----END CERTIFICATE-----
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem 2022-09-06 10:48:41.513496694 +0200
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE6jCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMG0xCzAJBgNVBAYTAkNaMRAw
+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
+MQwwCgYDVQQLEwNHU1MxHTAbBgNVBAMTFHJzeXNsb2crY2hhaW4rY2Fyb290MIIB
+ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuqAAv1OIGwQqCi1Mflrq8Buo
+G3UtiD8cMEovjzndFV4Ww5fm+R2vCv+tHq6a85mLL0wdqXh+/bAyDzxaULheXZel
+rGPuUFEH2BpOwKXBd31Vx1x32aN9iaoaND/JVQSp+9PeP9zyKeZIN2vFSyNK7LCA
+hdDXVoYeTktXMbm0vB2vMKk+5Vzc7WfyMfrdDvciuULzLU1RzRS2/RkHNlve5iVQ
+XbNN6CpVtXb0K/kcp4SQIVbNTD/g6Z3JnewSWwqjM9/axTC17rpqhsxaWk712Zjo
+lYeuWKfaF9eRXU951u/vrXMMRkDZe0cq5OiTbc1uUQag7uXkbUtEk5HDSihUWwxz
+MegUdUBXFN6EJ7OauWFOeyVJbbvPRa3q9fdlLILvv5/9SiMim6avcj6DlyUz2RhC
+YPh/gJHItuIbZ6hEU+aKqiDYMTHyibRoqOMZgsc8Vo1JAHQTI6gA8JQtGtjEbzIR
+GFkQkj4tvAQQgl5fs9nuweH9GoIaBl1IoIVZyR9PAgMBAAGjgZQwgZEwDwYDVR0T
+AQH/BAUwAwEB/zAkBgNVHREEHTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3Jh
+MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUr/RYFo8A1eqBi3sGMwqNvwHVk5sw
+KQYDVR0fBCIwIDAeoBygGoYYaHR0cDovLzEyNy4wLjAuMS9nZXRjcmwvMA0GCSqG
+SIb3DQEBCwUAA4IBgQBn/NZeqYon25QY1RmjYkCQ0B+uXsquGURETP30hQ+ltbbG
+u4jP+ll+oYkGVt1+eBi8Qw+rf8Qk3Q/+jmCoGS9vVjQc97r3YJxnFb3zB4HDCWdZ
+qXK7GeBlFA4XAtJO0ya8HCx4znuXKiNwqrJJHyyW2gvkY9raRkKOzj3/9jQXgAw4
+1d8NR9SxjKA2PnCSWNdVQOAm4us2tJXJexvbRx+b9Yu8LgUX/AdT4zqkIV8n6oFV
+XNaGyOsDN/+4JEsKbBixL+g3Y6yQHrwKMYq/Gh1WF33u2yYCzMU4Lw9AoYRG0jHi
+iAFchiwneGdC7E+To+qNdH5QJY38ZI7kWg3ADcXzwhTmvVUz5DNub9raE6yZZ4uf
+CyTGAJjH9USuhwH3unmB0kDjEOExIJHm+9uNA8S/81cwoCl2pz/hzr2fQwR2YLSa
+ox9p6cnQmnkL2j2QXhTvjDIswJmxuR43yqDIZUlx6cq1pTSJeN+8WcB2iK61p4DH
+JhH8af3aLUI5FNNgjas=
+-----END CERTIFICATE-----
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem 2022-09-06 10:48:41.513496694 +0200
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXjCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
+dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
+MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
+BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
+BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitjbGllbnQwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSIbnL1ViRk9CAPerSirUpBtnR4qYD
+XzPSkVJzX5PKLJkeJ6z6oIPoioh59+70ipL5K4ETkmbUFaKP+Lrk7l53BvAnP8Ba
+1rWNV2gzgyiihGCs7N/iamh9Rzj5lQCvzUJhiTcphcptV+0IIf9rbEggEazbSg1A
+BHxS8EBUx+ddVJc6MAlEbA/sstkqfE14k8YZPZlU9ZmLjyHbsQbfXFegYee6WMP0
+M7CqrMZ0ZWvDRWgqWOE+b8agmIKPb2VxJXuR3iXBJk8ANcrRzn/tXShMuGK5KiWL
+a6mFrzR6w55DgjIAKkmPO43jMO/qbWB91RVys/ztK7qIoXm3yadOeIU1AgMBAAGj
+gYwwgYkwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAkBgNVHREE
+HTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3JhMB0GA1UdDgQWBBSoW3Alxk4+
+6Uwv80/UE5C5rT4e6TAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAN
+BgkqhkiG9w0BAQsFAAOCAYEA5Nbnwixitghw9Zg3DANXFXiOsQBx7KEup7+x7edw
+n9r2raqNJEjT2Fv+ClEA3CIdPF+4wjoolOPezrNJxKO3UpYCQeO4ZU/QVl8BX8NB
+4v1rUqXsvhE//4FcLvMM+6n8Nrtt1VRhks8N0b0p/md9dFKGucd4otPZm0sbOrsg
+nrhDYzZiFAzJg3zFwOOHzxP6iKj2mfq+2XRiKl7SlbnEj/8l21Ne1V+mDV5++AEZ
+N/quuf8zYHwwuc3Y8K84doow9yBpFqrpBbazb8586utrAbTbytCqskzImFIjo5Oa
+1ujWArMDsVGGr+NzFWwCTz8VTNNJ5H1cBin0gT41/OwUQv8DIJqzmSFTg9Uqmb2V
+ZwjIvMGE4Tz8phzD0IbSXYmQsSeku4olIDM1d+vLvBlipGAeInmA+nZmeZwdD04c
+poqUj+H3mj1r6WOlk2ivV0TUZKO/JHydkBVf2EQJlEmGuSq/7S889fx3GT7jGcOb
+gl5LlIaraMgA48dK8gJUWtJh
+-----END CERTIFICATE-----
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem 2022-09-06 12:10:13.808498227 +0200
@@ -0,0 +1,134 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:d2:21:b9:cb:d5:58:91:93:d0:80:3d:ea:d2:8a:b5
+ 29:06:d9:d1:e2:a6:03:5f:33:d2:91:52:73:5f:93:ca
+ 2c:99:1e:27:ac:fa:a0:83:e8:8a:88:79:f7:ee:f4:8a
+ 92:f9:2b:81:13:92:66:d4:15:a2:8f:f8:ba:e4:ee:5e
+ 77:06:f0:27:3f:c0:5a:d6:b5:8d:57:68:33:83:28:a2
+ 84:60:ac:ec:df:e2:6a:68:7d:47:38:f9:95:00:af:cd
+ 42:61:89:37:29:85:ca:6d:57:ed:08:21:ff:6b:6c:48
+ 20:11:ac:db:4a:0d:40:04:7c:52:f0:40:54:c7:e7:5d
+ 54:97:3a:30:09:44:6c:0f:ec:b2:d9:2a:7c:4d:78:93
+ c6:19:3d:99:54:f5:99:8b:8f:21:db:b1:06:df:5c:57
+ a0:61:e7:ba:58:c3:f4:33:b0:aa:ac:c6:74:65:6b:c3
+ 45:68:2a:58:e1:3e:6f:c6:a0:98:82:8f:6f:65:71:25
+ 7b:91:de:25:c1:26:4f:00:35:ca:d1:ce:7f:ed:5d:28
+ 4c:b8:62:b9:2a:25:8b:6b:a9:85:af:34:7a:c3:9e:43
+ 82:32:00:2a:49:8f:3b:8d:e3:30:ef:ea:6d:60:7d:d5
+ 15:72:b3:fc:ed:2b:ba:88:a1:79:b7:c9:a7:4e:78:85
+ 35:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 1f:0c:c4:bb:8d:e6:ec:7b:ff:0f:34:17:02:cd:64:3f
+ 8f:b7:97:ff:f9:af:fd:dd:56:7c:0a:c6:e9:94:99:07
+ 46:08:e2:ab:f8:cc:c7:31:11:67:61:3e:75:9c:c4:ed
+ 3a:cc:66:e2:51:7b:c8:52:fa:16:74:16:89:c5:7f:47
+ ef:4a:85:42:32:56:39:eb:d1:da:dc:96:e0:06:9d:1d
+ 1a:7b:f2:f4:92:2c:4f:0c:53:fd:e3:43:55:3a:a5:05
+ ee:0b:ac:8f:02:2a:0b:46:36:cc:40:d9:d1:31:ca:e6
+ 92:36:0c:a1:40:9b:f9:0d:b5:e3:b2:5d:d4:bc:27:5a
+ 17:fd:3f:bd:8e:44:55:f2:e3:96:ac:cc:11:be:65:01
+ 55:98:92:92:ac:59:46:fd:e2:11:80:eb:18:56:6a:82
+ 3c:79:ec:30:b7:06:9b:97:55:74:36:17:7e:d8:c6:95
+ 4e:a5:e1:55:5a:2a:d6:5d:cc:86:39:88:82:ba:31:19
+ 98:d7:26:28:09:fe:b4:38:fe:1b:43:19:19:4f:ae:f2
+ 27:18:d6:07:9a:c2:1c:66:2d:5a:e6:22:2e:ca:71:26
+ dc:76:8f:2e:f3:84:e3:61:5f:77:d3:63:8a:d0:6b:42
+ 2a:6f:1b:98:91:b9:82:8d:d4:c4:f3:92:98:b4:a4:f1
+
+
+prime1:
+ 00:e1:f4:19:35:e3:e2:e7:14:a6:56:8b:45:f9:2b:19
+ bb:13:b3:66:73:44:5d:ca:69:cb:73:d9:78:5a:0f:fd
+ de:ba:74:b3:53:70:a9:ab:52:22:34:78:a2:26:4a:aa
+ 8f:1b:65:c1:3e:df:65:8c:9b:9a:70:04:ae:70:f6:ea
+ c4:e5:20:fa:16:e0:4f:56:f4:7b:d1:14:cc:94:e1:3c
+ 58:02:82:98:20:cd:13:cf:a2:49:13:7a:88:c1:84:72
+ 97:4f:1b:e8:d5:cb:6d:43:dd:d2:b8:09:dd:4f:ee:ce
+ 03:0b:c4:c2:9b:cf:3d:a0:a3:57:fd:1c:c9:eb:af:ae
+ 67:
+
+prime2:
+ 00:ee:13:05:f0:4c:13:e2:f8:27:53:c4:ad:89:d9:31
+ b9:1b:e8:17:b9:db:36:cd:54:0c:15:eb:50:85:e4:8b
+ 03:c4:f2:6d:a0:41:dc:99:21:7e:1e:8a:a1:5e:86:fe
+ 53:d2:72:53:73:8a:7e:a2:43:83:d5:af:b0:e0:1a:89
+ b5:3f:b3:26:d2:8e:92:0d:ed:d1:29:ee:c5:f1:ff:fc
+ 67:2c:a6:5d:4c:27:40:8a:5c:a1:23:d4:3f:11:bb:eb
+ 51:84:be:83:ec:73:3c:2e:ff:43:f6:74:16:b8:95:36
+ 2a:0b:1e:04:81:04:08:7a:40:21:dd:fb:dd:97:0a:76
+ 03:
+
+coefficient:
+ 00:a0:4c:15:4b:85:2f:81:6b:2e:e7:68:31:84:84:09
+ c4:45:55:01:da:3d:25:9d:37:67:ab:19:0b:1f:d3:9f
+ fc:09:12:31:66:5a:93:d8:d9:f2:00:c7:f7:03:0d:2b
+ 9d:2d:b8:38:d0:82:de:03:e7:21:03:29:4f:2a:2b:b5
+ 70:a3:bc:5b:bd:0e:f1:8b:bc:22:58:4a:b4:8f:fd:f5
+ d4:f3:99:31:b1:db:f6:1d:d9:12:a2:48:0a:d0:05:1a
+ 72:dc:8e:30:67:3c:e0:6a:b5:dc:93:6f:e4:17:79:a1
+ 63:2e:25:78:ef:86:d7:9c:f3:dd:5b:d2:bd:62:4f:44
+ f9:
+
+exp1:
+ 60:a2:e2:49:5f:0e:83:20:1c:c7:f4:c6:d7:7b:2c:85
+ 0b:36:f6:01:24:63:2c:97:b4:b0:f6:78:77:a4:51:42
+ 79:e2:41:73:d5:42:6b:88:34:22:d6:d9:1a:a1:62:72
+ d4:17:df:df:40:f2:10:81:d8:3a:42:76:4c:cf:fd:b6
+ 79:fc:71:99:69:13:e5:af:a8:68:d2:89:70:bf:27:ec
+ c8:1e:0c:6c:32:e9:5f:2b:1c:2f:dd:7f:31:ac:b0:c9
+ af:c6:d2:fc:e5:04:f5:3a:a0:cd:9f:42:6c:d6:48:7b
+ 9b:03:ea:eb:72:65:fc:17:00:21:bb:b7:4c:3a:95:cf
+
+
+exp2:
+ 00:a1:a7:61:1c:ed:4b:83:8e:24:86:08:c2:1d:1b:d1
+ 5b:73:cb:80:70:be:9c:d3:87:02:3d:cf:ee:79:3b:d9
+ f8:d1:3e:1b:99:f9:9e:a4:8b:cd:6b:47:8e:92:f4:ee
+ b4:53:ed:35:24:fb:21:49:64:b6:9b:de:14:27:d7:5d
+ 32:28:f2:a8:a5:c8:10:fc:4c:42:fe:4a:17:36:5f:2f
+ 2f:8f:6d:d7:63:e2:33:3c:bf:f0:da:b7:3f:ab:f7:01
+ ad:f4:88:b8:63:51:4b:c8:4d:a4:04:30:87:4d:06:64
+ 24:e0:2f:9d:b7:4c:d9:c4:c8:cf:36:3f:d3:12:c0:13
+ a9:
+
+
+Public Key PIN:
+ pin-sha256:I1Gv1FM9aCxvuCmF0uDnbDbIJgm1TFB2dtJV5v2iCEA=
+Public Key ID:
+ sha256:2351afd4533d682c6fb82985d2e0e76c36c82609b54c507676d255e6fda20840
+ sha1:a85b7025c64e3ee94c2ff34fd41390b9ad3e1ee9
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0iG5y9VYkZPQgD3q0oq1KQbZ0eKmA18z0pFSc1+TyiyZHies
++qCD6IqIeffu9IqS+SuBE5Jm1BWij/i65O5edwbwJz/AWta1jVdoM4MoooRgrOzf
+4mpofUc4+ZUAr81CYYk3KYXKbVftCCH/a2xIIBGs20oNQAR8UvBAVMfnXVSXOjAJ
+RGwP7LLZKnxNeJPGGT2ZVPWZi48h27EG31xXoGHnuljD9DOwqqzGdGVrw0VoKljh
+Pm/GoJiCj29lcSV7kd4lwSZPADXK0c5/7V0oTLhiuSoli2upha80esOeQ4IyACpJ
+jzuN4zDv6m1gfdUVcrP87Su6iKF5t8mnTniFNQIDAQABAoIBAB8MxLuN5ux7/w80
+FwLNZD+Pt5f/+a/93VZ8CsbplJkHRgjiq/jMxzERZ2E+dZzE7TrMZuJRe8hS+hZ0
+FonFf0fvSoVCMlY569Ha3JbgBp0dGnvy9JIsTwxT/eNDVTqlBe4LrI8CKgtGNsxA
+2dExyuaSNgyhQJv5DbXjsl3UvCdaF/0/vY5EVfLjlqzMEb5lAVWYkpKsWUb94hGA
+6xhWaoI8eewwtwabl1V0Nhd+2MaVTqXhVVoq1l3MhjmIgroxGZjXJigJ/rQ4/htD
+GRlPrvInGNYHmsIcZi1a5iIuynEm3HaPLvOE42Ffd9NjitBrQipvG5iRuYKN1MTz
+kpi0pPECgYEA4fQZNePi5xSmVotF+SsZuxOzZnNEXcppy3PZeFoP/d66dLNTcKmr
+UiI0eKImSqqPG2XBPt9ljJuacASucPbqxOUg+hbgT1b0e9EUzJThPFgCgpggzRPP
+okkTeojBhHKXTxvo1cttQ93SuAndT+7OAwvEwpvPPaCjV/0cyeuvrmcCgYEA7hMF
+8EwT4vgnU8StidkxuRvoF7nbNs1UDBXrUIXkiwPE8m2gQdyZIX4eiqFehv5T0nJT
+c4p+okOD1a+w4BqJtT+zJtKOkg3t0SnuxfH//Gcspl1MJ0CKXKEj1D8Ru+tRhL6D
+7HM8Lv9D9nQWuJU2KgseBIEECHpAId373ZcKdgMCgYBgouJJXw6DIBzH9MbXeyyF
+Czb2ASRjLJe0sPZ4d6RRQnniQXPVQmuINCLW2RqhYnLUF9/fQPIQgdg6QnZMz/22
+efxxmWkT5a+oaNKJcL8n7MgeDGwy6V8rHC/dfzGssMmvxtL85QT1OqDNn0Js1kh7
+mwPq63Jl/BcAIbu3TDqVzwKBgQChp2Ec7UuDjiSGCMIdG9Fbc8uAcL6c04cCPc/u
+eTvZ+NE+G5n5nqSLzWtHjpL07rRT7TUk+yFJZLab3hQn110yKPKopcgQ/ExC/koX
+Nl8vL49t12PiMzy/8Nq3P6v3Aa30iLhjUUvITaQEMIdNBmQk4C+dt0zZxMjPNj/T
+EsATqQKBgQCgTBVLhS+Bay7naDGEhAnERVUB2j0lnTdnqxkLH9Of/AkSMWZak9jZ
+8gDH9wMNK50tuDjQgt4D5yEDKU8qK7Vwo7xbvQ7xi7wiWEq0j/311POZMbHb9h3Z
+EqJICtAFGnLcjjBnPOBqtdyTb+QXeaFjLiV474bXnPPdW9K9Yk9E+Q==
+-----END RSA PRIVATE KEY-----
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem 2022-09-06 10:48:41.513496694 +0200
@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIEVTCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
+dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
+MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
+BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
+BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitzZXJ2ZXIwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3mDP67/SPVbCCgInxXNr9sOLz2yWx
+fa4jtgdbgWK5mib4XdPYTdH6hRiur/n6yn9rzhDeFFMUhSwQpQ81OyZfUFNU0A0q
+x7AZMgVOm3ZqMDk8O57UfuSdURJJPsEwMzZ8Q5d6wyq7xheX0DZjB8LUN8J6SX4w
+K2Ok1wCBOQdfjvW09tOVqQK7puHq85UWsEBTiZ7ie1Fg6FLNscPVoavjNNyYAORM
+Vz0Byv1zBdJzBHufqHUdjX7uMkUPcKfiU/TjQWMRYF3Yp5z2wFohi4Zgtise7xW5
+SfgcAIjA1bm5xMIaiUxRUZHUhCaoj6c2vZygrFO7MuB/2ngoEbqZ57pdAgMBAAGj
+gYMwgYAwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAnggZmZWRvcmGHBH8AAAGBF3Jv
+b3RAZmVkb3JhdGxzd3d3c2VydmVyMB0GA1UdDgQWBBRxxQqJoRCHlrmwDLcB0aU3
+W/QRbDAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjANBgkqhkiG9w0B
+AQsFAAOCAYEAkheMCnXNDh2fOhMyOifBFKqlUUsYzZoYU5UNweZijdKAKxJ4zdsS
+i31a2IG4ePBPX7PShUUr2E1PEQ2XBDi/HcCoK54qcqzhxGS83Rf/2YxN4BjU8jaA
+7RhIA0fv5haKxxhjRIDT6vsAXPB0HM/f3Y+E21GVbsQVUE1pP8QrDkcU0EwIjEfW
+tFEBitmb0s/11d8/ZLdYAuvvfzDzuN9kuAcj5dkdpB5Wo9R3h2NXnD6EIWIUHn/I
+zwgXdb/n9gUI6jQMC6shFjXScVT2jgjfziWi/M66PBbtEbEnhOEKdbW0o2lPiL3j
+2UDj6fMshRBAnSoBtEYm/lywBs3vDUGpMUSQFIAwPgUkizAl5DEdmE9PLqRL9HNT
+UIg8tQql9Xr29edEiuMHpIyH8eEa+KI2CpKG3KfYDBMaC7z9MvkpYuSuIG3dsQxy
+YguWDH7c0iosQVpHx8dxj5Exj1/QOXcD5tAVY/+DBe48nRzDTlZmRGQjtqr6Nw0j
+BIXBoqaes0D4
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
+MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
+dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
+Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
+DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
+MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
+CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
+M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
+MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
+sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
+2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
+nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
+gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
+LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
+BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
+VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
+HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
+dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
+FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
+uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
+ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
+wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
+OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
+9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
+DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
+jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
+-----END CERTIFICATE-----
diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem
--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem 1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem 2022-09-06 12:10:28.635549755 +0200
@@ -0,0 +1,133 @@
+Public Key Info:
+ Public Key Algorithm: RSA
+ Key Security Level: Medium (2048 bits)
+
+modulus:
+ 00:b7:98:33:fa:ef:f4:8f:55:b0:82:80:89:f1:5c:da
+ fd:b0:e2:f3:db:25:b1:7d:ae:23:b6:07:5b:81:62:b9
+ 9a:26:f8:5d:d3:d8:4d:d1:fa:85:18:ae:af:f9:fa:ca
+ 7f:6b:ce:10:de:14:53:14:85:2c:10:a5:0f:35:3b:26
+ 5f:50:53:54:d0:0d:2a:c7:b0:19:32:05:4e:9b:76:6a
+ 30:39:3c:3b:9e:d4:7e:e4:9d:51:12:49:3e:c1:30:33
+ 36:7c:43:97:7a:c3:2a:bb:c6:17:97:d0:36:63:07:c2
+ d4:37:c2:7a:49:7e:30:2b:63:a4:d7:00:81:39:07:5f
+ 8e:f5:b4:f6:d3:95:a9:02:bb:a6:e1:ea:f3:95:16:b0
+ 40:53:89:9e:e2:7b:51:60:e8:52:cd:b1:c3:d5:a1:ab
+ e3:34:dc:98:00:e4:4c:57:3d:01:ca:fd:73:05:d2:73
+ 04:7b:9f:a8:75:1d:8d:7e:ee:32:45:0f:70:a7:e2:53
+ f4:e3:41:63:11:60:5d:d8:a7:9c:f6:c0:5a:21:8b:86
+ 60:b6:2b:1e:ef:15:b9:49:f8:1c:00:88:c0:d5:b9:b9
+ c4:c2:1a:89:4c:51:51:91:d4:84:26:a8:8f:a7:36:bd
+ 9c:a0:ac:53:bb:32:e0:7f:da:78:28:11:ba:99:e7:ba
+ 5d:
+
+public exponent:
+ 01:00:01:
+
+private exponent:
+ 68:06:20:25:a5:82:0f:18:c1:3b:20:33:88:83:51:3d
+ 7e:d5:08:d0:79:a9:f8:89:0b:88:de:e0:55:0e:28:15
+ 94:d1:12:f0:ae:55:61:8d:2d:8e:8f:a3:fb:e2:c2:8b
+ b1:fc:7f:08:25:c1:f1:15:87:a3:22:b2:dc:39:58:83
+ 96:d2:b0:72:75:93:70:b3:71:83:2b:08:a0:03:57:25
+ 5d:b8:a8:1b:55:51:54:9d:62:4b:17:1f:2c:7c:ef:f7
+ 86:2f:12:0c:27:ba:f5:cb:c6:a0:69:03:f7:d6:74:e8
+ a3:73:58:b0:7d:84:33:81:70:eb:b5:48:82:94:8f:ea
+ 4c:c7:9c:58:02:90:68:b1:64:29:df:a8:8a:69:15:d4
+ 49:21:2f:aa:25:f1:e7:10:8b:93:37:ca:51:d3:4e:d6
+ de:cf:60:04:6b:10:41:1b:f5:0f:be:b7:2a:cd:41:44
+ 50:25:be:e5:57:60:1e:3e:e9:d7:70:86:68:a6:4f:3d
+ 7d:d8:0e:7f:9b:de:de:e6:02:35:33:9f:b6:68:bb:cd
+ 2f:33:69:09:9e:da:91:6b:16:89:db:14:20:59:3a:92
+ 7e:78:4e:e1:02:3f:c8:a5:3f:bd:f2:bc:3a:da:f2:97
+ 06:f5:96:eb:c8:09:f7:04:cb:7f:e2:e2:12:52:d4:21
+
+
+prime1:
+ 00:ed:e4:b8:72:ee:b0:9e:38:db:f8:e7:fa:52:a5:94
+ 4a:4b:05:54:f0:96:23:72:d6:01:ba:9f:f4:3e:65:24
+ 29:c0:47:4a:6f:a9:a4:02:36:c5:2c:c5:ea:cd:09:5c
+ 2d:8e:3c:56:aa:e4:e7:85:32:a8:a7:4f:18:12:17:8c
+ 93:15:07:da:3e:f4:df:33:7e:35:39:59:2d:f4:1c:ba
+ 65:e8:42:c7:75:a0:c2:53:47:ad:ee:74:44:21:6a:42
+ 75:7f:40:1f:8b:06:0e:df:c3:02:4d:50:58:75:f2:29
+ 58:e2:0c:a0:7b:fe:be:c4:ab:76:ff:24:c1:4b:e6:ce
+ 75:
+
+prime2:
+ 00:c5:91:7c:48:59:dd:05:68:5c:8a:46:0b:3b:69:92
+ 80:d1:c6:28:27:88:c8:a9:73:7c:32:ee:87:a7:31:29
+ ff:56:38:41:07:3e:0f:01:5c:cf:eb:93:db:e7:fb:b9
+ e7:15:94:93:ea:fa:f8:60:79:c6:16:d2:db:9b:64:5f
+ c3:b8:f0:52:c0:e7:ff:e0:9a:94:22:fb:7e:5e:80:8f
+ c0:ca:46:f4:87:91:e7:ad:6d:74:26:d1:fa:c0:f8:f5
+ 7e:b3:0c:bb:23:5e:7d:5d:8b:c9:2e:68:76:be:d4:b4
+ 75:de:3c:70:70:ad:1e:64:de:e4:1d:f7:df:af:46:0f
+ 49:
+
+coefficient:
+ 00:89:f1:2c:f9:14:89:25:21:7a:ad:75:30:f0:b1:e7
+ 20:b3:14:14:d7:c9:b6:78:3c:c7:c8:92:3a:64:8e:47
+ d0:10:fc:01:a9:a6:25:a5:61:6d:8f:da:d4:85:fa:06
+ 9f:a5:27:a8:7d:38:e2:67:19:65:ab:a9:00:52:8c:f3
+ 51:fe:f9:a6:4f:ab:47:04:0a:86:ae:f0:fe:3d:2d:72
+ 76:6d:ad:03:48:af:23:67:92:28:34:83:bc:45:7d:c0
+ 45:ca:89:4a:4f:dd:11:a6:3a:5a:23:47:f4:7c:82:42
+ dc:e8:56:85:d8:1b:9d:08:9c:6e:ca:17:58:d7:d4:bb
+ 77:
+
+exp1:
+ 21:50:b8:ac:0f:d5:58:33:2a:4b:2f:61:95:15:6f:31
+ 00:54:9c:d2:9c:94:16:4e:f6:2b:06:9f:93:e5:62:2d
+ 1e:aa:5d:38:4a:0f:97:e7:c7:b1:3f:7e:64:7c:7d:16
+ 3c:27:23:14:07:be:8c:9e:cd:93:b0:b5:f4:42:ac:03
+ 25:1c:d6:69:9e:ad:6b:6e:af:51:7a:b5:be:cc:0f:26
+ 9a:62:4f:c0:9f:64:d7:78:e0:58:d6:9b:7b:fa:7f:98
+ 28:db:f8:0e:e6:28:4b:19:ea:46:9d:8b:e5:e8:a5:f5
+ b6:a2:82:0f:1b:5b:e7:fb:03:4d:33:fe:85:fc:aa:c9
+
+
+exp2:
+ 59:36:db:22:68:c1:ef:a1:32:b8:95:ec:98:85:91:cc
+ 6d:ed:c7:50:22:ea:49:ea:86:59:11:71:5c:44:4d:2c
+ aa:28:78:e4:e6:57:2c:4c:56:ef:90:33:2b:4c:76:a4
+ 2d:10:8c:c2:fd:55:8f:6b:2d:d2:3c:a1:42:48:4f:1e
+ 38:b2:fd:0b:73:38:0e:9a:7e:ee:55:16:b9:61:e0:88
+ 34:4f:5a:38:a5:e0:32:66:4c:9f:03:0e:f2:78:f9:92
+ 9f:13:ce:a5:a8:13:80:5c:91:1a:4d:bd:e1:6a:77:9b
+ 0a:21:cc:bc:74:d0:56:c8:77:c6:38:9a:5f:b1:89:51
+
+
+
+Public Key PIN:
+ pin-sha256:FSR0pC1TUEe+ZMU7YSVDDmYP4hmDlsIJRKf4D8LiJZ8=
+Public Key ID:
+ sha256:152474a42d535047be64c53b6125430e660fe2198396c20944a7f80fc2e2259f
+ sha1:71c50a89a1108796b9b00cb701d1a5375bf4116c
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAt5gz+u/0j1WwgoCJ8Vza/bDi89slsX2uI7YHW4FiuZom+F3T
+2E3R+oUYrq/5+sp/a84Q3hRTFIUsEKUPNTsmX1BTVNANKsewGTIFTpt2ajA5PDue
+1H7knVESST7BMDM2fEOXesMqu8YXl9A2YwfC1DfCekl+MCtjpNcAgTkHX471tPbT
+lakCu6bh6vOVFrBAU4me4ntRYOhSzbHD1aGr4zTcmADkTFc9Acr9cwXScwR7n6h1
+HY1+7jJFD3Cn4lP040FjEWBd2Kec9sBaIYuGYLYrHu8VuUn4HACIwNW5ucTCGolM
+UVGR1IQmqI+nNr2coKxTuzLgf9p4KBG6mee6XQIDAQABAoIBAGgGICWlgg8YwTsg
+M4iDUT1+1QjQean4iQuI3uBVDigVlNES8K5VYY0tjo+j++LCi7H8fwglwfEVh6Mi
+stw5WIOW0rBydZNws3GDKwigA1clXbioG1VRVJ1iSxcfLHzv94YvEgwnuvXLxqBp
+A/fWdOijc1iwfYQzgXDrtUiClI/qTMecWAKQaLFkKd+oimkV1EkhL6ol8ecQi5M3
+ylHTTtbez2AEaxBBG/UPvrcqzUFEUCW+5VdgHj7p13CGaKZPPX3YDn+b3t7mAjUz
+n7Zou80vM2kJntqRaxaJ2xQgWTqSfnhO4QI/yKU/vfK8Otrylwb1luvICfcEy3/i
+4hJS1CECgYEA7eS4cu6wnjjb+Of6UqWUSksFVPCWI3LWAbqf9D5lJCnAR0pvqaQC
+NsUsxerNCVwtjjxWquTnhTKop08YEheMkxUH2j703zN+NTlZLfQcumXoQsd1oMJT
+R63udEQhakJ1f0AfiwYO38MCTVBYdfIpWOIMoHv+vsSrdv8kwUvmznUCgYEAxZF8
+SFndBWhcikYLO2mSgNHGKCeIyKlzfDLuh6cxKf9WOEEHPg8BXM/rk9vn+7nnFZST
+6vr4YHnGFtLbm2Rfw7jwUsDn/+CalCL7fl6Aj8DKRvSHkeetbXQm0frA+PV+swy7
+I159XYvJLmh2vtS0dd48cHCtHmTe5B33369GD0kCgYAhULisD9VYMypLL2GVFW8x
+AFSc0pyUFk72Kwafk+ViLR6qXThKD5fnx7E/fmR8fRY8JyMUB76Mns2TsLX0QqwD
+JRzWaZ6ta26vUXq1vswPJppiT8CfZNd44FjWm3v6f5go2/gO5ihLGepGnYvl6KX1
+tqKCDxtb5/sDTTP+hfyqyQKBgFk22yJowe+hMriV7JiFkcxt7cdQIupJ6oZZEXFc
+RE0sqih45OZXLExW75AzK0x2pC0QjML9VY9rLdI8oUJITx44sv0LczgOmn7uVRa5
+YeCINE9aOKXgMmZMnwMO8nj5kp8TzqWoE4BckRpNveFqd5sKIcy8dNBWyHfGOJpf
+sYlRAoGBAInxLPkUiSUheq11MPCx5yCzFBTXybZ4PMfIkjpkjkfQEPwBqaYlpWFt
+j9rUhfoGn6UnqH044mcZZaupAFKM81H++aZPq0cECoau8P49LXJ2ba0DSK8jZ5Io
+NIO8RX3ARcqJSk/dEaY6WiNH9HyCQtzoVoXYG50InG7KF1jX1Lt3
+-----END RSA PRIVATE KEY-----

12
SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch → SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
Unescape View File

@ -1,21 +1,19 @@
--- rsyslog-8.2102.0/doc/configuration/global/index.html 2021-02-15 12:53:30.000000000 +0100
+++ rsyslog-8.2102.0.backup.doc.202209071236/doc/configuration/global/index.html 2022-09-07 12:33:21.318360707 +0200
@@ -119,7 +119,14 @@
--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html 2021-02-15 12:53:30.000000000 +0100
+++ rsyslog-8.2102.0/doc/configuration/global/index.html 2022-09-07 13:32:10.426621438 +0200
@@ -119,6 +119,13 @@
<a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
Defaults to ptcp.</p>
</li>
-<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
+<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
+</li>
+<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
+This directive allows to configure multiple additional extra CA files.
+This is intended for SSL certificate chains to work appropriately,
+as the different CA files in the chain need to be specified.
+It must be remarked that this directive only works with the OpenSSL driver.
+</p>
+</li>
<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
</li>
<li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
</li>
@@ -311,4 +318,4 @@
<div class="footer" role="contentinfo">
</div>

134
SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
Unescape View File

@ -0,0 +1,134 @@
--- rsyslog-8.2102.0.ori/runtime/glbl.h 2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/runtime/glbl.h 2022-09-07 13:32:51.623799582 +0200
@@ -72,6 +72,7 @@
SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
+ SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
SIMP_PROP(ParserDropTrailingLFOnReception, int)
SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
--- rsyslog-8.2102.0.ori/runtime/glbl.c 2022-09-07 13:17:02.669696053 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c 2022-09-07 13:56:37.678966129 +0200
@@ -122,6 +122,7 @@
static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
+static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
int bTerminateInputs = 0; /* global switch that inputs shall terminate ASAP (1=> terminate) */
static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
@@ -176,6 +177,7 @@
{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
+ { "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
{ "maxmessagesize", eCmdHdlrSize, 0 },
{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
{ "oversizemsg.report", eCmdHdlrBinary, 0 },
@@ -307,6 +309,8 @@
/* TODO: use custom function which frees existing value */
SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
/* TODO: use custom function which frees existing value */
+SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
+/* TODO: use custom function which frees existing value */
#undef SIMP_PROP
#undef SIMP_PROP_SET
@@ -838,6 +842,12 @@
return(pszDfltNetstrmDrvrCAF);
}
+/* return the extra CA Files, if needed */
+static uchar*
+GetNetstrmDrvrCAExtraFiles(void)
+{
+ return(pszNetstrmDrvrCAExtraFiles);
+}
/* return the current default netstream driver key File */
static uchar*
@@ -925,6 +935,7 @@
SIMP_PROP(DfltNetstrmDrvrCAF)
SIMP_PROP(DfltNetstrmDrvrKeyFile)
SIMP_PROP(DfltNetstrmDrvrCertFile)
+ SIMP_PROP(NetstrmDrvrCAExtraFiles)
#ifdef USE_UNLIMITED_SELECT
SIMP_PROP(FdSetSize)
#endif
@@ -941,6 +952,8 @@
pszDfltNetstrmDrvr = NULL;
free(pszDfltNetstrmDrvrCAF);
pszDfltNetstrmDrvrCAF = NULL;
+ free(pszNetstrmDrvrCAExtraFiles);
+ pszNetstrmDrvrCAExtraFiles = NULL;
free(pszDfltNetstrmDrvrKeyFile);
pszDfltNetstrmDrvrKeyFile = NULL;
free(pszDfltNetstrmDrvrCertFile);
@@ -1350,6 +1363,9 @@
free(pszDfltNetstrmDrvr);
pszDfltNetstrmDrvr = (uchar*)
es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ } else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
+ free(pszNetstrmDrvrCAExtraFiles);
+ pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
} else if(!strcmp(paramblk.descr[i].name,
@@ -1546,6 +1562,8 @@
&pszDfltNetstrmDrvrKeyFile, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
&pszDfltNetstrmDrvrCertFile, NULL));
+ CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
+ &pszNetstrmDrvrCAExtraFiles, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c 2022-09-07 13:17:02.705696208 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-09-07 14:09:18.697256943 +0200
@@ -88,6 +88,7 @@
static short bHaveCA;
static short bHaveCert;
static short bHaveKey;
+static short bHaveExtraCAFiles;
static int bAnonInit;
static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
@@ -414,7 +415,8 @@
{
DEFiRet;
DBGPRINTF("openssl: entering osslGlblInit\n");
- const char *caFile, *certFile, *keyFile;
+ const char *caFile, *certFile, *keyFile, *extraCaFile;
+ char *extraCaFiles;
/* Setup OpenSSL library */
if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
@@ -451,9 +453,27 @@
} else {
bHaveKey = 1;
}
+ extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
+ if(extraCaFiles == NULL) {
+ bHaveExtraCAFiles = 0;
+ } else {
+ bHaveExtraCAFiles = 1;
+ }
/* Create main CTX Object */
ctx = SSL_CTX_new(SSLv23_method());
+ if(bHaveExtraCAFiles == 1) {
+ while((extraCaFile = strsep(&extraCaFiles, ","))) {
+ if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
+ LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
+ "Check at least: 1) file path is correct, 2) file exist, "
+ "3) permissions are correct, 4) file content is correct. "
+ "Open ssl error info may follow in next messages");
+ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+ ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
+ }
+ }
+ }
if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
"Check at least: 1) file path is correct, 2) file exist, "

195
SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
Unescape View File

@ -1,195 +0,0 @@
diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac
--- rsyslog-8.2102.0/configure.ac.orig 2022-11-21 11:39:40.717183684 +0100
+++ rsyslog-8.2102.0/configure.ac 2022-11-21 11:40:18.697206706 +0100
@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes";
])
fi
+AC_ARG_ENABLE(libcap-ng,
+ [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
+ [case "${enableval}" in
+ yes) enable_libcapng="yes" ;;
+ no) enable_libcapng="no" ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
+ esac],
+ [enable_libcapng=no]
+)
+
+if test "$enable_libcapng" = "yes"; then
+ PKG_CHECK_MODULES(
+ [LIBCAPNG],
+ [libcap-ng >= 0.8.2],
+ [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
+ [AC_MSG_ERROR(libcap-ng is not present.)]
+ )
+ CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
+ LIBS="$LIBS $LIBCAPNG_LIBS"
+fi
+
+
#gssapi
AC_ARG_ENABLE(gssapi_krb5,
@@ -2688,6 +2710,7 @@ echo " liblogging-stdlog support enab
echo " libsystemd enabled: $enable_libsystemd"
echo " kafka static linking enabled: $enable_kafka_static"
echo " atomic operations enabled: $enable_atomic_operations"
+echo " libcap-ng support enabled: $enable_libcapng"
echo
echo "---{ input plugins }---"
if test "$unamestr" != "AIX"; then
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2022-11-21 11:40:31.926214720 +0100
+++ rsyslog-8.2102.0/runtime/rsconf.c 2022-11-21 11:44:26.742356979 +0100
@@ -33,6 +33,9 @@
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/stat.h>
+#ifdef ENABLE_LIBCAPNG
+ #include <cap-ng.h>
+#endif
#include "rsyslog.h"
#include "obj.h"
@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void)
uchar szBuf[1024];
DEFiRet;
+#ifndef ENABLE_LIBCAPNG
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
res = setgroups(0, NULL); /* remove all supplemental group IDs */
if(res) {
@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void)
if(res) {
rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf));
LogError(0, RS_RET_ERR_DROP_PRIV,
- "could not set requested group id: %s", szBuf);
+ "could not set requested group id: %s via setgid()", szBuf);
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
}
+#else
+ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+ res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
+ if (res) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
+ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+ }
+#endif
+
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
ourConf->globals.gidDropPriv);
@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid)
iUid, szBuf);
}
+#ifndef ENABLE_LIBCAPNG
res = setuid(iUid);
+ // res = setuid(cnf->globals.uidDropPriv);
+#else
+ int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+ res = capng_change_id(iUid, -1, capng_flags);
+#endif
+
if(res) {
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
perror("could not set requested userid");
diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h
--- rsyslog-8.2102.0/runtime/rsyslog.h.orig 2022-11-21 11:45:09.007382588 +0100
+++ rsyslog-8.2102.0/runtime/rsyslog.h 2022-11-21 11:45:31.333396112 +0100
@@ -582,6 +582,7 @@ enum rsRetVal_ /** return value. All
RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */
RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */
RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */
+ RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
/* RainerScript error messages (range 1000.. 1999) */
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2022-11-21 11:45:17.587387786 +0100
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2022-11-21 11:46:19.509425295 +0100
@@ -38,6 +38,10 @@
# include <systemd/sd-daemon.h>
#endif
+#ifdef ENABLE_LIBCAPNG
+ #include <cap-ng.h>
+#endif
+
#include "rsyslog.h"
#include "wti.h"
#include "ratelimit.h"
@@ -321,7 +325,7 @@ checkStartupOK(void)
fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n");
ABORT_FINALIZE(RS_RET_ERR);
}
-
+
/* ok, we got a pid, let's check if the process is running */
const pid_t pid = (pid_t) pf_pid;
if(kill(pid, 0) == 0 || errno != ESRCH) {
@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv)
localRet = RS_RET_OK;
}
CHKiRet(localRet);
-
+
CHKiRet(rsyslogd_InitStdRatelimiters());
if(bChDirRoot) {
@@ -2019,7 +2023,7 @@ deinitAll(void)
/* close the inputs */
DBGPRINTF("Terminating input threads...\n");
glbl.SetGlobalInputTermination();
-
+
thrdTerminateAll();
/* and THEN send the termination log message (see long comment above) */
@@ -2142,6 +2146,45 @@ main(int argc, char **argv)
if(log_dflt != NULL && !strcmp(log_dflt, "1"))
bProcessInternalMessages = 1;
dbgClassInit();
+
+#ifdef ENABLE_LIBCAPNG
+ /*
+ * Drop capabilities to the necessary set
+ */
+ int capng_rc;
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ CAP_BLOCK_SUSPEND,
+ CAP_CHOWN,
+ CAP_IPC_LOCK,
+ CAP_LEASE,
+ CAP_NET_ADMIN,
+ CAP_NET_BIND_SERVICE,
+ CAP_PERFMON,
+ CAP_SETGID,
+ CAP_SETUID,
+ CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT,
+ CAP_SYS_RESOURCE,
+ CAP_SYSLOG,
+ -1
+ )) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not update the internal posix capabilities settings "
+ "based on the options passed to it, capng_updatev=%d\n", capng_rc);
+ exit(-1);
+ }
+
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d\n", capng_rc);
+ exit(-1);
+ }
+ DBGPRINTF("Capabilities were dropped successfully\n");
+#endif
+
initAll(argc, argv);
#ifdef HAVE_LIBSYSTEMD
sd_notify(0, "READY=1");

12
SOURCES/rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig 2023-05-19 10:32:32.467826852 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c 2023-05-19 10:33:34.426902983 +0200
@@ -452,6 +452,8 @@ readjournal(void)
/* Get message identifier, client pid and add ':' */
if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
+ } else if (journalGetData("_COMM", &get, &length) >= 0) {
+ CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden));
} else {
CHKmalloc(sys_iden = strdup(cs.dfltTag));
}

109
SOURCES/rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
Unescape View File

@ -1,109 +0,0 @@
diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
--- rsyslog-8.2102.0/runtime/glbl.c.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c 2023-06-27 08:20:45.262387154 +0200
@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
{ "debug.files", eCmdHdlrArray, 0 },
- { "debug.whitelist", eCmdHdlrBinary, 0 }
+ { "debug.whitelist", eCmdHdlrBinary, 0 },
+ { "libcapng.default", eCmdHdlrBinary, 0 }
};
static struct cnfparamblk paramblk =
{ CNFPARAMBLK_VERSION,
@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
setWorkDir(NULL, cstr);
+ } else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
+#ifdef ENABLE_LIBCAPNG
+ loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
+#else
+ LogError(0, RS_RET_ERR, "rsyslog wasn't "
+ "compiled with libcap-ng support.");
+#endif
} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
const int val = (int) cnfparamvals[i].val.d.n;
fjson_global_do_case_sensitive_comparison(val);
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-06-27 08:20:45.264387159 +0200
@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
static void cnfSetDefaults(rsconf_t *pThis)
{
+#ifdef ENABLE_LIBCAPNG
+ pThis->globals.bAbortOnFailedLibcapngSetup = 1;
+#endif
pThis->globals.bAbortOnUncleanConfig = 0;
pThis->globals.bReduceRepeatMsgs = 0;
pThis->globals.bDebugPrintTemplateList = 1;
diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
--- rsyslog-8.2102.0/runtime/rsconf.h.orig 2023-06-27 08:20:45.265387162 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h 2023-06-27 08:20:45.260387149 +0200
@@ -61,6 +61,9 @@ struct queuecnf_s {
* be re-set as often as the user likes).
*/
struct globals_s {
+#ifdef ENABLE_LIBCAPNG
+ int bAbortOnFailedLibcapngSetup;
+#endif
int bDebugPrintTemplateList;
int bDebugPrintModuleList;
int bDebugPrintCfSysLineHandlerList;
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:20:45.245387109 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:31:35.250120215 +0200
@@ -2151,7 +2151,7 @@ main(int argc, char **argv)
/*
* Drop capabilities to the necessary set
*/
- int capng_rc;
+ int capng_rc, capng_failed = 0;
capng_clear(CAPNG_SELECT_BOTH);
if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
@@ -2161,10 +2161,9 @@ main(int argc, char **argv)
CAP_LEASE,
CAP_NET_ADMIN,
CAP_NET_BIND_SERVICE,
+ CAP_DAC_OVERRIDE,
CAP_SETGID,
CAP_SETUID,
- CAP_DAC_OVERRIDE,
- CAP_NET_RAW,
CAP_SYS_ADMIN,
CAP_SYS_CHROOT,
CAP_SYS_RESOURCE,
@@ -2173,17 +2172,25 @@ main(int argc, char **argv)
)) != 0) {
LogError(0, RS_RET_LIBCAPNG_ERR,
"could not update the internal posix capabilities settings "
- "based on the options passed to it, capng_updatev=%d\n", capng_rc);
- exit(-1);
+ "based on the options passed to it, capng_updatev=%d", capng_rc);
+ capng_failed = 1;
}
if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not transfer the specified internal posix capabilities "
- "settings to the kernel, capng_apply=%d\n", capng_rc);
- exit(-1);
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d", capng_rc);
+ capng_failed = 1;
+ }
+
+ if (capng_failed) {
+ DBGPRINTF("Capabilities were not dropped successfully.\n");
+ if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+ exit(RS_RET_LIBCAPNG_ERR);
+ }
+ } else {
+ DBGPRINTF("Capabilities were dropped successfully\n");
}
- DBGPRINTF("Capabilities were dropped successfully\n");
#endif
initAll(argc, argv);

145
SOURCES/rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch
Unescape View File

@ -1,145 +0,0 @@
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-06-27 08:56:27.321174891 +0200
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-06-27 08:58:17.977481782 +0200
@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
resetErrMsgsFlag();
localRet = rsconf.Load(&ourConf, ConfFile);
+ #ifdef ENABLE_LIBCAPNG
+ /*
+ * Drop capabilities to the necessary set
+ */
+ int capng_rc, capng_failed = 0;
+ typedef struct capabilities_s {
+ int capability; /* capability code */
+ const char *name; /* name of the capability to be displayed */
+ sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
+ } capabilities_t;
+
+ capabilities_t capabilities[] = {
+ #define CAP_FIELD(code) { code, #code, 0 }
+ CAP_FIELD(CAP_BLOCK_SUSPEND),
+ CAP_FIELD(CAP_CHOWN),
+ CAP_FIELD(CAP_IPC_LOCK),
+ CAP_FIELD(CAP_LEASE),
+ CAP_FIELD(CAP_NET_ADMIN),
+ CAP_FIELD(CAP_NET_BIND_SERVICE),
+ CAP_FIELD(CAP_DAC_OVERRIDE),
+ CAP_FIELD(CAP_SETGID),
+ CAP_FIELD(CAP_SETUID),
+ CAP_FIELD(CAP_SYS_ADMIN),
+ CAP_FIELD(CAP_SYS_CHROOT),
+ CAP_FIELD(CAP_SYS_RESOURCE),
+ CAP_FIELD(CAP_SYSLOG)
+ #undef CAP_FIELD
+ };
+
+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
+ /* Examine which capabilities are available to us, so we do not try to
+ drop something that is not present. We need to do this in two steps,
+ because capng_clear clears the capability set. In the second step,
+ we add back those caps, which were present before clearing the selected
+ posix capabilities set.
+ */
+ unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
+ for (unsigned long i = 0; i < caps_len; i++) {
+ if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
+ capabilities[i].present = 1;
+ }
+ }
+
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ for (unsigned long i = 0; i < caps_len; i++) {
+ if (capabilities[i].present) {
+ DBGPRINTF("The %s capability is present, "
+ "will try to preserve it.\n", capabilities[i].name);
+ if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+ capabilities[i].capability)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not update the internal posix capabilities settings "
+ "based on the options passed to it, capng_update=%d", capng_rc);
+ capng_failed = 1;
+ }
+ } else {
+ DBGPRINTF("The %s capability is not present, "
+ "will not try to preserve it.\n", capabilities[i].name);
+ }
+ }
+
+ if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ LogError(0, RS_RET_LIBCAPNG_ERR,
+ "could not transfer the specified internal posix capabilities "
+ "settings to the kernel, capng_apply=%d", capng_rc);
+ capng_failed = 1;
+ }
+
+ if (capng_failed) {
+ DBGPRINTF("Capabilities were not dropped successfully.\n");
+ if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+ ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+ }
+ } else {
+ DBGPRINTF("Capabilities were dropped successfully\n");
+ }
+ } else {
+ DBGPRINTF("No capabilities to drop\n");
+ }
+#endif
+
if(fp_rs_full_conf_output != NULL) {
if(fp_rs_full_conf_output != stdout) {
fclose(fp_rs_full_conf_output);
@@ -2147,52 +2229,6 @@ main(int argc, char **argv)
bProcessInternalMessages = 1;
dbgClassInit();
-#ifdef ENABLE_LIBCAPNG
- /*
- * Drop capabilities to the necessary set
- */
- int capng_rc, capng_failed = 0;
- capng_clear(CAPNG_SELECT_BOTH);
-
- if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
- CAP_BLOCK_SUSPEND,
- CAP_CHOWN,
- CAP_IPC_LOCK,
- CAP_LEASE,
- CAP_NET_ADMIN,
- CAP_NET_BIND_SERVICE,
- CAP_DAC_OVERRIDE,
- CAP_SETGID,
- CAP_SETUID,
- CAP_SYS_ADMIN,
- CAP_SYS_CHROOT,
- CAP_SYS_RESOURCE,
- CAP_SYSLOG,
- -1
- )) != 0) {
- LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not update the internal posix capabilities settings "
- "based on the options passed to it, capng_updatev=%d", capng_rc);
- capng_failed = 1;
- }
-
- if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
- LogError(0, RS_RET_LIBCAPNG_ERR,
- "could not transfer the specified internal posix capabilities "
- "settings to the kernel, capng_apply=%d", capng_rc);
- capng_failed = 1;
- }
-
- if (capng_failed) {
- DBGPRINTF("Capabilities were not dropped successfully.\n");
- if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
- exit(RS_RET_LIBCAPNG_ERR);
- }
- } else {
- DBGPRINTF("Capabilities were dropped successfully\n");
- }
-#endif
-
initAll(argc, argv);
#ifdef HAVE_LIBSYSTEMD
sd_notify(0, "READY=1");

30
SOURCES/rsyslog.conf
Unescape View File

@ -4,14 +4,6 @@
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
@ -23,9 +15,6 @@ module(load="imjournal" # provides access to the systemd journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
@ -36,6 +25,17 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
@ -68,13 +68,13 @@ local7.* /var/log/boot.log
# ### sample forwarding rule ###
#action(type="omfwd"
# # An on-disk queue is created for this action. If the remote host is
# # down, messages are spooled to disk and sent when it is up again.
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# # Remote Logging (we use TCP for reliable delivery)
# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

1
SOURCES/rsyslog.service
Unescape View File

@ -10,7 +10,6 @@ Documentation=https://www.rsyslog.com/doc/
Type=notify
EnvironmentFile=-/etc/sysconfig/rsyslog
ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
UMask=0066
StandardOutput=null
Restart=on-failure

1683
SPECS/rsyslog.spec
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save