From 3f7feced8779dc78d903d3463f176042598ec24c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 18:28:51 +0200 Subject: Merging upstream version 8.2404.0. Signed-off-by: Daniel Baumann --- plugins/imdtls/Makefile.am | 4 ++-- plugins/imdtls/Makefile.in | 4 ++-- plugins/imdtls/imdtls.c | 32 ++++++++++++++++---------------- plugins/mmdblookup/mmdblookup.c | 5 +++++ plugins/omdtls/Makefile.am | 4 ++-- plugins/omdtls/Makefile.in | 4 ++-- plugins/omdtls/omdtls.c | 20 +++++++++++--------- 7 files changed, 40 insertions(+), 33 deletions(-) (limited to 'plugins') diff --git a/plugins/imdtls/Makefile.am b/plugins/imdtls/Makefile.am index bf544b3..3253444 100644 --- a/plugins/imdtls/Makefile.am +++ b/plugins/imdtls/Makefile.am @@ -1,6 +1,6 @@ pkglib_LTLIBRARIES = imdtls.la -imdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la +imdtls_la_DEPENDENCIES = imdtls_la_SOURCES = imdtls.c imdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS) imdtls_la_LDFLAGS = -module -avoid-version -imdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la +imdtls_la_LIBADD = $(OPENSSL_LIBS) diff --git a/plugins/imdtls/Makefile.in b/plugins/imdtls/Makefile.in index 03043f4..d9a5d48 100644 --- a/plugins/imdtls/Makefile.in +++ b/plugins/imdtls/Makefile.in @@ -451,11 +451,11 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ pkglib_LTLIBRARIES = imdtls.la -imdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la +imdtls_la_DEPENDENCIES = imdtls_la_SOURCES = imdtls.c imdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS) imdtls_la_LDFLAGS = -module -avoid-version -imdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la +imdtls_la_LIBADD = $(OPENSSL_LIBS) all: all-am .SUFFIXES: diff --git a/plugins/imdtls/imdtls.c b/plugins/imdtls/imdtls.c index 6501d9c..3751bbe 100644 --- a/plugins/imdtls/imdtls.c +++ b/plugins/imdtls/imdtls.c @@ -314,24 +314,24 @@ imdtls_verify_callback(int status, SSL* ssl) switch(inst->pNetOssl->authMode) { case OSSL_AUTH_CERTNAME: /* if we check the name, we must ensure the cert is valid */ - certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL); + certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL); dbgprintf("imdtls_verify_callback: Check peer certname[%p]=%s\n", (void *)ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL)); - CHKiRet(net_ossl_chkpeername(inst->pNetOssl, certpeer, NULL)); + CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL)); + CHKiRet(net_ossl.osslChkpeername(inst->pNetOssl, certpeer, NULL)); break; case OSSL_AUTH_CERTFINGERPRINT: - certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL); + certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL); dbgprintf("imdtls_verify_callback: Check peer fingerprint[%p]=%s\n", (void *)ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL)); - CHKiRet(net_ossl_peerfingerprint(inst->pNetOssl, certpeer, NULL)); + CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL)); + CHKiRet(net_ossl.osslPeerfingerprint(inst->pNetOssl, certpeer, NULL)); break; case OSSL_AUTH_CERTVALID: - certpeer = net_ossl_getpeercert(inst->pNetOssl, ssl, NULL); + certpeer = net_ossl.osslGetpeercert(inst->pNetOssl, ssl, NULL); dbgprintf("imdtls_verify_callback: Check peer valid[%p]=%s\n", (void *)ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(inst->pNetOssl, ssl, NULL)); + CHKiRet(net_ossl.osslChkpeercertvalidity(inst->pNetOssl, ssl, NULL)); break; case OSSL_AUTH_CERTANON: dbgprintf("imdtls_verify_callback: ANON[%p]\n", (void *)ssl); @@ -401,7 +401,7 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst) CHKiRet(net_ossl.osslCtxInitCookie(inst->pNetOssl)); # endif // Run openssl config commands in Context - CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd)); + CHKiRet(net_ossl.osslApplyTlscgfcmd(inst->pNetOssl, inst->tlscfgcmd)); // Init Socket CHKiRet(DTLSCreateSocket(inst)); @@ -499,13 +499,13 @@ DTLSAcceptSession(instanceConf_t *inst, int idx) { } else if(err == SSL_ERROR_SYSCALL) { DBGPRINTF("imdtls: SSL_accept failed SSL_ERROR_SYSCALL idx (%d), removing client.\n", idx); - net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, + net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, "DTLSHandleSessions", "SSL_accept"); DTLScleanupSession(inst, idx); } else { // An actual error occurred DBGPRINTF("imdtls: SSL_accept failed (%d) idx (%d), removing client.\n", err, idx); - net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR, + net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR, "DTLSHandleSessions", "SSL_accept"); DTLScleanupSession(inst, idx); } @@ -570,7 +570,7 @@ DTLSReadClient(instanceConf_t *inst, int idx, short revents) { break; } else if (err == SSL_ERROR_SYSCALL) { DBGPRINTF("imdtls: SSL_ERROR_SYSCALL on index %d ERRNO %d\n", idx, errno); - net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR, + net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_ERR, "DTLSReadClient", "SSL_read"); DTLScleanupSession(inst, idx); break; @@ -655,7 +655,7 @@ DTLSHandleSessions(instanceConf_t *inst) { if (inst->pNetOssl->authMode != OSSL_AUTH_CERTANON) { dbgprintf("imdtls: enable certificate checking (Mode=%d, VerifyDepth=%d)\n", inst->pNetOssl->authMode, inst->CertVerifyDepth); - net_ossl_set_ssl_verify_callback(ssl, + net_ossl.osslSetSslVerifyCallback(ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); if (inst->CertVerifyDepth != 0) { SSL_set_verify_depth(ssl, inst->CertVerifyDepth); @@ -668,7 +668,7 @@ DTLSHandleSessions(instanceConf_t *inst) { SSL_set_ex_data(ssl, 2, inst); /* Used in imdtls */ // Debug Callback for conn sbio! - net_ossl_set_bio_callback(sbio); + net_ossl.osslSetBioCallback(sbio); // Connect the new Client BIO_ADDR *client_addr = BIO_ADDR_new(); @@ -711,7 +711,7 @@ DTLSHandleSessions(instanceConf_t *inst) { if (ret == 0) { err = SSL_get_error(ssl, ret); DBGPRINTF("imdtls: DTLSHandleSessions BIO_connect ERROR %d\n", err); - net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, + net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, "DTLSHandleSessions", "BIO_connect"); LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING, "imdtls: BIO_connect failed for DTLS client"); @@ -744,7 +744,7 @@ DTLSHandleSessions(instanceConf_t *inst) { } else { DBGPRINTF("imdtls: DTLSv1_listen RET %d (ERR %d / ERRNO %d), abort\n", ret, err, errno); - net_ossl_lastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, + net_ossl.osslLastOpenSSLErrorMsg(NULL, err, ssl, LOG_WARNING, "DTLSHandleSessions", "DTLSv1_listen"); LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING, "imdtls: DTLSv1_listen failed for DTLS client"); diff --git a/plugins/mmdblookup/mmdblookup.c b/plugins/mmdblookup/mmdblookup.c index f9f3c73..d6a26f7 100644 --- a/plugins/mmdblookup/mmdblookup.c +++ b/plugins/mmdblookup/mmdblookup.c @@ -412,6 +412,11 @@ CODESTARTdoAction dbgprintf("Error from call to getaddrinfo for %s - %s\n", pszValue, gai_strerror(gai_err)); ABORT_FINALIZE(RS_RET_OK); } + if (MMDB_IPV6_LOOKUP_IN_IPV4_DATABASE_ERROR == mmdb_err) { + LogMsg(0, NO_ERRCODE, LOG_INFO, "mmdblookup: Tried to search for an IPv6 address in an IPv4-only DB" + ", ignoring"); + ABORT_FINALIZE(RS_RET_OK); + } if (MMDB_SUCCESS != mmdb_err) { dbgprintf("Got an error from the maxminddb library: %s\n", MMDB_strerror(mmdb_err)); close_mmdb(&pWrkrData->mmdb); diff --git a/plugins/omdtls/Makefile.am b/plugins/omdtls/Makefile.am index 8451028..a877419 100644 --- a/plugins/omdtls/Makefile.am +++ b/plugins/omdtls/Makefile.am @@ -1,6 +1,6 @@ pkglib_LTLIBRARIES = omdtls.la -omdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la +omdtls_la_DEPENDENCIES = omdtls_la_SOURCES = omdtls.c omdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS) omdtls_la_LDFLAGS = -module -avoid-version -omdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la +omdtls_la_LIBADD = $(OPENSSL_LIBS) diff --git a/plugins/omdtls/Makefile.in b/plugins/omdtls/Makefile.in index 6978ece..d06d59c 100644 --- a/plugins/omdtls/Makefile.in +++ b/plugins/omdtls/Makefile.in @@ -451,11 +451,11 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ pkglib_LTLIBRARIES = omdtls.la -omdtls_la_DEPENDENCIES = ../../runtime/lmnsd_ossl.la +omdtls_la_DEPENDENCIES = omdtls_la_SOURCES = omdtls.c omdtls_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) $(OPENSSL_CFLAGS) omdtls_la_LDFLAGS = -module -avoid-version -omdtls_la_LIBADD = $(OPENSSL_LIBS) ../../runtime/lmnsd_ossl.la +omdtls_la_LIBADD = $(OPENSSL_LIBS) all: all-am .SUFFIXES: diff --git a/plugins/omdtls/omdtls.c b/plugins/omdtls/omdtls.c index c5ba167..dd4c55f 100644 --- a/plugins/omdtls/omdtls.c +++ b/plugins/omdtls/omdtls.c @@ -270,7 +270,7 @@ CODESTARTactivateCnfPrePrivDrop for(inst = runModConf->root ; inst != NULL ; inst = inst->next) { CHKiRet(net_ossl.osslCtxInit(inst->pNetOssl, DTLS_method())); // Run openssl config commands in Context - CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd)); + CHKiRet(net_ossl.osslApplyTlscgfcmd(inst->pNetOssl, inst->tlscfgcmd)); } finalize_it: ENDactivateCnfPrePrivDrop @@ -598,13 +598,13 @@ dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ co if (sslerr == SSL_ERROR_SYSCALL) { dbgprintf("dtls_send[%p]: SSL_write failed with SSL_ERROR_SYSCALL(%s)" " - Aborting Connection.\n", pWrkrData, strerror(errno)); - net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING, + net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_write"); ABORT_FINALIZE(RS_RET_ERR); } else { dbgprintf("dtls_send[%p]: SSL_write failed with ERROR [%d]: %s" " - Aborting Connection.\n", pWrkrData, sslerr, ERR_error_string(sslerr, NULL)); - net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING, + net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_write"); ABORT_FINALIZE(RS_RET_ERR); } @@ -639,7 +639,8 @@ dtls_connect(wrkrInstanceData_t *pWrkrData) { pWrkrData->sslClient = SSL_new(pData->pNetOssl->ctx); if(!pWrkrData->sslClient) { dbgprintf("dtls_connect[%p]: SSL_new failed failed\n", pWrkrData); - net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_new"); + net_ossl.osslLastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, + LOG_WARNING, "omdtls", "SSL_new"); ABORT_FINALIZE(RS_RET_ERR); } @@ -648,19 +649,20 @@ dtls_connect(wrkrInstanceData_t *pWrkrData) { dbgprintf("dtls_connect[%p]: enable certificate checking (Mode=%d, VerifyDepth=%d)\n", pWrkrData, pData->pNetOssl->authMode, pData->CertVerifyDepth); /* Enable certificate valid checking */ - net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + net_ossl.osslSetSslVerifyCallback(pWrkrData->sslClient, + SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); if (pData->CertVerifyDepth != 0) { SSL_set_verify_depth(pWrkrData->sslClient, pData->CertVerifyDepth); } } else { dbgprintf("dtls_connect[%p]: disable certificate checking\n", pWrkrData); - net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_NONE); + net_ossl.osslSetSslVerifyCallback(pWrkrData->sslClient, SSL_VERIFY_NONE); } /* Create BIO from socket array! */ bio_client = BIO_new_dgram(pWrkrData->sockout, BIO_NOCLOSE); if (!bio_client) { - net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO, + net_ossl.osslLastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO, "dtls_connect", "BIO_new_dgram"); ABORT_FINALIZE(RS_RET_ERR); } @@ -668,13 +670,13 @@ dtls_connect(wrkrInstanceData_t *pWrkrData) { SSL_set_bio(pWrkrData->sslClient, bio_client, bio_client); /* Set debug Callback for conn BIO as well! */ - net_ossl_set_bio_callback(bio_client); + net_ossl.osslSetBioCallback(bio_client); dbgprintf("dtls_connect[%p]: Starting DTLS session ...\n", pWrkrData); /* Perform handshake */ iErr = SSL_connect(pWrkrData->sslClient); if (iErr <= 0) { - net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO, + net_ossl.osslLastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO, "dtls_connect", "SSL_connect"); ABORT_FINALIZE(RS_RET_ERR); } -- cgit v1.2.3