diff --git a/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch b/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch new file mode 100644 index 0000000000000000000000000000000000000000..0db05946e815bee24ea996474fc21af88328fd75 --- /dev/null +++ b/backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch @@ -0,0 +1,54 @@ +From e7ad250f51bba571c9861c4ab7df2df135be9ea3 Mon Sep 17 00:00:00 2001 +From: Andre lorbach +Date: Thu, 11 May 2023 16:49:11 +0200 +Subject: [PATCH] [backport] GNUTls Driver: Fix memory leaks in gtlsInitCred + +Missing CA Certificate or multiple Connections caused +a memory leak in pThis->xcred as it was allocated each time in +gtlsInitCred by gnutls_certificate_allocate_credentials + +closes: https://github.com/rsyslog/rsyslog/issues/5135 + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/3401d687d2d5f9556165b53be79fbe4dc49b8c79 + +--- +--- + runtime/nsd_gtls.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index bbda5c5bc..da549d728 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -711,7 +711,10 @@ gtlsInitCred(nsd_gtls_t *const pThis ) + DEFiRet; + + /* X509 stuff */ +- CHKgnutls(gnutls_certificate_allocate_credentials(&pThis->xcred)); ++ if (pThis->xcred == NULL) { ++ /* Allocate only ONCE */ ++ CHKgnutls(gnutls_certificate_allocate_credentials(&pThis->xcred)); ++ } + + /* sets the trusted cas file */ + cafile = (pThis->pszCAFile == NULL) ? glbl.GetDfltNetstrmDrvrCAF() : pThis->pszCAFile; +@@ -2264,7 +2267,12 @@ finalize_it: + if(pThis->bHaveSess) { + gnutls_deinit(pThis->sess); + pThis->bHaveSess = 0; ++ /* Free memory using gnutls api first*/ ++ gnutls_certificate_free_credentials(pThis->xcred); + pThis->xcred = NULL; ++ /* Free other memory */ ++ free(pThis->pszConnectHost); ++ pThis->pszConnectHost = NULL; + } + } + +-- +2.12.3 + diff --git a/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch b/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch new file mode 100644 index 0000000000000000000000000000000000000000..7801e3c630ac171035c82b2708750a9141cf42b7 --- /dev/null +++ b/backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch @@ -0,0 +1,126 @@ +From bd5933ce7617238b143a54709f582d2e2abbdd5f Mon Sep 17 00:00:00 2001 +From: frikilax +Date: Tue, 19 Apr 2022 09:56:06 +0200 +Subject: [PATCH] [backport] MMDBLOOKUP::FIXED:: Don't crash Rsyslog on mmdb + file errors + +--- + +Conflict:NA +Reference:https://github.com/rsyslog/rsyslog/commit/0869d725f297f50830ae4a026902d6aa35d8f8bd + +--- +--- + plugins/mmdblookup/mmdblookup.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/plugins/mmdblookup/mmdblookup.c b/plugins/mmdblookup/mmdblookup.c +index 3fe5172a9..85536f2cf 100644 +--- a/plugins/mmdblookup/mmdblookup.c ++++ b/plugins/mmdblookup/mmdblookup.c +@@ -68,6 +68,7 @@ typedef struct wrkrInstanceData { + instanceData *pData; + MMDB_s mmdb; + pthread_mutex_t mmdbMutex; ++ sbool mmdb_is_open; + } wrkrInstanceData_t; + + struct modConfData_s { +@@ -122,15 +123,30 @@ int open_mmdb(const char *file, MMDB_s *mmdb) { + dbgprintf(" IO error: %s\n", strerror(errno)); + } + LogError(0, RS_RET_SUSPENDED, "maxminddb error: cannot open database file"); ++ return RS_RET_SUSPENDED; + } + +- return MMDB_SUCCESS != status; ++ return RS_RET_OK; + } + + void close_mmdb(MMDB_s *mmdb) { + MMDB_close(mmdb); + } + ++static rsRetVal wrkr_reopen_mmdb(wrkrInstanceData_t *pWrkrData) { ++ DEFiRet; ++ pthread_mutex_lock(&pWrkrData->mmdbMutex); ++ LogMsg(0, NO_ERRCODE, LOG_INFO, "mmdblookup: reopening MMDB file"); ++ if (pWrkrData->mmdb_is_open) close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; ++ CHKiRet(open_mmdb(pWrkrData->pData->pszMmdbFile, &pWrkrData->mmdb)); ++ pWrkrData->mmdb_is_open = 1; ++ ++finalize_it: ++ pthread_mutex_unlock(&pWrkrData->mmdbMutex); ++ RETiRet; ++} ++ + BEGINbeginCnfLoad + CODESTARTbeginCnfLoad + loadModConf = pModConf; +@@ -163,6 +179,7 @@ ENDcreateInstance + BEGINcreateWrkrInstance + CODESTARTcreateWrkrInstance + CHKiRet(open_mmdb(pData->pszMmdbFile, &pWrkrData->mmdb)); ++ pWrkrData->mmdb_is_open = 1; + CHKiConcCtrl(pthread_mutex_init(&pWrkrData->mmdbMutex, NULL)); + finalize_it: + ENDcreateWrkrInstance +@@ -190,7 +207,8 @@ ENDfreeInstance + + BEGINfreeWrkrInstance + CODESTARTfreeWrkrInstance +- close_mmdb(&pWrkrData->mmdb); ++ if (pWrkrData->mmdb_is_open) close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; + pthread_mutex_destroy(&pWrkrData->mmdbMutex); + ENDfreeWrkrInstance + +@@ -312,6 +330,7 @@ ENDdbgPrintInstInfo + + BEGINtryResume + CODESTARTtryResume ++ iRet = wrkr_reopen_mmdb(pWrkrData); + ENDtryResume + + +@@ -356,6 +375,11 @@ BEGINdoAction_NoStrings + json_object *total_json = NULL; + MMDB_entry_data_list_s *entry_data_list = NULL; + CODESTARTdoAction ++ /* ensure file is open before beginning */ ++ if (!pWrkrData->mmdb_is_open) { ++ CHKiRet(wrkr_reopen_mmdb(pWrkrData)); ++ } ++ + /* key is given, so get the property json */ + msgPropDescr_t pProp; + msgPropDescrFill(&pProp, (uchar*)pData->pszKey, strlen(pData->pszKey)); +@@ -382,7 +406,9 @@ CODESTARTdoAction + } + if (MMDB_SUCCESS != mmdb_err) { + dbgprintf("Got an error from the maxminddb library: %s\n", MMDB_strerror(mmdb_err)); +- ABORT_FINALIZE(RS_RET_OK); ++ close_mmdb(&pWrkrData->mmdb); ++ pWrkrData->mmdb_is_open = 0; ++ ABORT_FINALIZE(RS_RET_IO_ERROR); + } + if (!result.found_entry) { + dbgprintf("No entry found in database for '%s'\n", pszValue); +@@ -450,12 +476,7 @@ BEGINdoHUPWrkr + CODESTARTdoHUPWrkr + dbgprintf("mmdblookup: HUP received\n"); + if (pWrkrData->pData->reloadOnHup) { +- // a mutex is needed, as it's the main thread that runs this handler +- pthread_mutex_lock(&pWrkrData->mmdbMutex); +- LogMsg(0, NO_ERRCODE, LOG_INFO, "mmdblookup: reloading MMDB file"); +- close_mmdb(&pWrkrData->mmdb); +- iRet = open_mmdb(pWrkrData->pData->pszMmdbFile, &pWrkrData->mmdb); +- pthread_mutex_unlock(&pWrkrData->mmdbMutex); ++ iRet = wrkr_reopen_mmdb(pWrkrData); + } + ENDdoHUPWrkr + +-- +2.12.3 + diff --git a/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch b/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dc8a38fa23ff1ceb83239aa8cad55f68314c934 --- /dev/null +++ b/backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch @@ -0,0 +1,120 @@ +From 4fe3152b51884916861303573294be3d797f3998 Mon Sep 17 00:00:00 2001 +From: Andre lorbach +Date: Mon, 27 Jun 2022 14:39:07 +0200 +Subject: [PATCH] [backport] OpenSSL: fix depreacted API issues for OpenSSL 3.x + +- OpenSSL error strings are loaded automatically now +- Debug Callback has changed +- See for more: + https://www.openssl.org/docs/manmaster/man7/migration_guide.html + +closes: https://github.com/rsyslog/rsyslog/issues/4912 +--- + +Conflict:NA +Reference:https://github.com/rsyslog/rsyslog/commit/bd4d4a6c5ccf6c0d279e6c45bf719433bc48105d + +--- +--- + runtime/nsd_ossl.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 13f697704..5d8ebd86c 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -31,6 +31,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++# include ++#endif + #include + #include + #include +@@ -294,16 +297,20 @@ int verify_callback(int status, X509_STORE_CTX *store) + return status; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++long BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp, ++ size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl, ++ int ret, size_t __attribute__((unused)) *processed) ++#else + long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp, + int argi, long __attribute__((unused)) argl, long ret) ++#endif + { ++ long ret2 = ret; // Helper value to avoid printf compile errors long<>int + long r = 1; +- + if (BIO_CB_RETURN & cmd) + r = ret; +- + dbgprintf("openssl debugmsg: BIO[%p]: ", (void *)bio); +- + switch (cmd) { + case BIO_CB_FREE: + dbgprintf("Free - %s\n", RSYSLOG_BIO_method_name(bio)); +@@ -350,19 +357,19 @@ long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *a + RSYSLOG_BIO_method_name(bio)); + break; + case BIO_CB_RETURN | BIO_CB_READ: +- dbgprintf("read return %ld\n", ret); ++ dbgprintf("read return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_WRITE: +- dbgprintf("write return %ld\n", ret); ++ dbgprintf("write return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_GETS: +- dbgprintf("gets return %ld\n", ret); ++ dbgprintf("gets return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_PUTS: +- dbgprintf("puts return %ld\n", ret); ++ dbgprintf("puts return %ld\n", ret2); + break; + case BIO_CB_RETURN | BIO_CB_CTRL: +- dbgprintf("ctrl return %ld\n", ret); ++ dbgprintf("ctrl return %ld\n", ret2); + break; + default: + dbgprintf("bio callback - unknown type (%d)\n", cmd); +@@ -420,9 +427,19 @@ osslGlblInit(void) + + /* Load readable error strings */ + SSL_load_error_strings(); ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++ /* ++ * ERR_load_*(), ERR_func_error_string(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_get_state() ++ * OpenSSL now loads error strings automatically so these functions are not needed. ++ * SEE FOR MORE: ++ * https://www.openssl.org/docs/manmaster/man7/migration_guide.html ++ * ++ */ ++#else ++ /* Load error strings into mem*/ + ERR_load_BIO_strings(); + ERR_load_crypto_strings(); +- ++#endif + RETiRet; + } + +@@ -557,7 +574,11 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe + dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn); + + /* Set debug Callback for conn BIO as well! */ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) ++ BIO_set_callback_ex(conn, BIO_debug_callback_ex); ++#else + BIO_set_callback(conn, BIO_debug_callback); ++#endif + + /* TODO: still needed? Set to NON blocking ! */ + BIO_set_nbio( conn, 1 ); +-- +2.12.3 + diff --git a/backport-bugfix-prevent-pot.-segfault-when-switchung.patch b/backport-bugfix-prevent-pot.-segfault-when-switchung.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed493d19cf06366085f0e0b4a4a745042cf91ad5 --- /dev/null +++ b/backport-bugfix-prevent-pot.-segfault-when-switchung.patch @@ -0,0 +1,57 @@ +From 1807410d18519520ed813dd4b9d2b2d34e583415 Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Sun, 30 Oct 2022 18:43:26 +0100 +Subject: [PATCH] [backport] bugfix: prevent pot. segfault when switchung to + queue emergency mode + +When switching to Disk queue emergency mode, we destructed the in-memory +queue object. Practice has shown that this MAY cause races during +destruction which themselfs can lead to segfault. For that reason, we +now keep the disk queueu object. This will keep some ressources, +including disk space, allocated. But we prefer that over a segfault. +After all, it only happens after a serious queue error when we are +already at the edge of hard problems. + +see also: https://github.com/rsyslog/rsyslog/issues/4963 + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/eaac48d0d23afe0146454cd9f5004ddcb47cc81b + +--- +--- + runtime/queue.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/runtime/queue.c b/runtime/queue.c +index b3fdd5101..856b4df25 100644 +--- a/runtime/queue.c ++++ b/runtime/queue.c +@@ -794,8 +794,12 @@ static rsRetVal qDelLinkedList(qqueue_t *pThis) + /* The following function is used to "save" ourself from being killed by + * a fatally failed disk queue. A fatal failure is, for example, if no + * data can be read or written. In that case, the disk support is disabled, +- * with all on-disk structures kept as-is as much as possible. Instead, the +- * queue is switched to direct mode, so that at least ++ * with all on-disk structures kept as-is as much as possible. However, ++ * we do not really stop or destruct the in-memory disk queue object. ++ * Practice has shown that this may cause races during destruction which ++ * themselfs can lead to segfault. So we prefer to was some ressources by ++ * keeping the queue active. ++ * Instead, the queue is switched to direct mode, so that at least + * some processing can happen. Of course, this may still have lots of + * undesired side-effects, but is probably better than aborting the + * syslogd. Note that this function *must* succeed in one way or another, as +@@ -808,7 +812,6 @@ queueSwitchToEmergencyMode(qqueue_t *pThis, rsRetVal initiatingError) + { + pThis->iQueueSize = 0; + pThis->nLogDeq = 0; +- qDestructDisk(pThis); /* free disk structures */ + + pThis->qType = QUEUETYPE_DIRECT; + pThis->qConstruct = qConstructDirect; +-- +2.12.3 + diff --git a/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch b/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch new file mode 100644 index 0000000000000000000000000000000000000000..4924ae06119e8d8405af6f98370bc0c293b11b1c --- /dev/null +++ b/backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch @@ -0,0 +1,84 @@ +From deefc958c388995fac99c581284fb86eb9653ece Mon Sep 17 00:00:00 2001 +From: Rainer Gerhards +Date: Thu, 23 Mar 2023 10:58:32 +0100 +Subject: [PATCH] [backport] core/bugfix: using $uuid msg prop can deadlock + rsyslog on shutdown + +This problem can occur if a large number of threads is used and rsyslog +cannot shut down all queues etc within the regular time interval. In this +case, it cancels some threads. That can leave the mutex guarding libuuid +calls locked and thus prevents other, not yet cancelled threads from +progressing. Assuming pthread_mutex_lock() is not a cancellation point, +this will case these other threads to hang forever and thus create a +deadlock situation. + +closes https://github.com/rsyslog/rsyslog/issues/5104 + +--- + +Conflict:runtime/msg.c +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/82687e14fbf3d854e8cc954efb9fb0efa69a28d2 + +--- +--- + runtime/msg.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/runtime/msg.c b/runtime/msg.c +index 73b7cec80..a3ddb8684 100644 +--- a/runtime/msg.c ++++ b/runtime/msg.c +@@ -7,7 +7,7 @@ + * of the "old" message code without any modifications. However, it + * helps to have things at the right place one we go to the meat of it. + * +- * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH. ++ * Copyright 2007-2023 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of the rsyslog runtime library. + * +@@ -1618,13 +1618,22 @@ msgSetPRI(smsg_t *const __restrict__ pMsg, syslog_pri_t pri) + /* note: libuuid seems not to be thread-safe, so we need + * to get some safeguards in place. + */ ++static pthread_mutex_t mutUUID = PTHREAD_MUTEX_INITIALIZER; ++ ++static void call_uuid_generate(uuid_t uuid) ++{ ++ pthread_mutex_lock(&mutUUID); ++ pthread_cleanup_push(mutexCancelCleanup, &mutUUID); ++ uuid_generate(uuid); ++ pthread_cleanup_pop(1); ++} ++ + static void msgSetUUID(smsg_t * const pM) + { + size_t lenRes = sizeof(uuid_t) * 2 + 1; + char hex_char [] = "0123456789ABCDEF"; + unsigned int byte_nbr; + uuid_t uuid; +- static pthread_mutex_t mutUUID = PTHREAD_MUTEX_INITIALIZER; + + dbgprintf("[MsgSetUUID] START, lenRes %llu\n", (long long unsigned) lenRes); + assert(pM != NULL); +@@ -1632,9 +1641,7 @@ static void msgSetUUID(smsg_t * const pM) + if((pM->pszUUID = (uchar*) malloc(lenRes)) == NULL) { + pM->pszUUID = (uchar *)""; + } else { +- pthread_mutex_lock(&mutUUID); +- uuid_generate(uuid); +- pthread_mutex_unlock(&mutUUID); ++ call_uuid_generate(uuid); + for (byte_nbr = 0; byte_nbr < sizeof (uuid_t); byte_nbr++) { + pM->pszUUID[byte_nbr * 2 + 0] = hex_char[uuid [byte_nbr] >> 4]; + pM->pszUUID[byte_nbr * 2 + 1] = hex_char[uuid [byte_nbr] & 15]; +@@ -5352,5 +5359,3 @@ BEGINObjClassInit(msg, 1, OBJ_IS_CORE_MODULE) + INIT_ATOMIC_HELPER_MUT(mutTrimCtr); + # endif + ENDObjClassInit(msg) +-/* vim:set ai: +- */ +-- +2.12.3 + diff --git a/backport-imjournal-add-second-fallback-to-_COMM.patch b/backport-imjournal-add-second-fallback-to-_COMM.patch new file mode 100644 index 0000000000000000000000000000000000000000..eba679ccbb47a70cb82f41ab30aee146aab7d9fd --- /dev/null +++ b/backport-imjournal-add-second-fallback-to-_COMM.patch @@ -0,0 +1,38 @@ +From 45900dd550e0aca724a4ec66c2833de3d27565e1 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 31 Oct 2022 14:40:12 +0100 +Subject: [PATCH] [backport] imjournal: add second fallback to _COMM + +If SYSLOG_IDENTIFIER is not present in the journal message, +then lookup the _COMM field, which stands for the name +of the process the journal entry originates from. This is +needed in order to be in compliance with the journalctl +output. + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/fb5ae30e6ac4dc584dd9c5463e27e7fc5e9060a4 + +--- +--- + plugins/imjournal/imjournal.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/plugins/imjournal/imjournal.c b/plugins/imjournal/imjournal.c +index 6fb3b7a07..4d9e59966 100644 +--- a/plugins/imjournal/imjournal.c ++++ b/plugins/imjournal/imjournal.c +@@ -453,6 +453,8 @@ readjournal(void) + /* Get message identifier, client pid and add ':' */ + if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) { + CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden)); ++ } else if (journalGetData("_COMM", &get, &length) >= 0) { ++ CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden)); + } else { + CHKmalloc(sys_iden = strdup("journal")); + } +-- +2.12.3 + diff --git a/backport-support-sha256-for-StreamDriverAuthMode-x50.patch b/backport-support-sha256-for-StreamDriverAuthMode-x50.patch new file mode 100644 index 0000000000000000000000000000000000000000..941142acf149ef0cb4e301c70dc718d91b961db7 --- /dev/null +++ b/backport-support-sha256-for-StreamDriverAuthMode-x50.patch @@ -0,0 +1,159 @@ +From 7614f08d6e5688be750722c81567916159f99824 Mon Sep 17 00:00:00 2001 +From: cody +Date: Thu, 7 Jul 2022 16:11:43 +0200 +Subject: [PATCH] [backport] support sha256 for + StreamDriverAuthMode="x509/fingerprint" + +--- + +Conflict:NA +Type:bugfix +Reference:https://github.com/rsyslog/rsyslog/commit/8a52bf055394b38a0da609ea1104ca336e3d5252 + +--- +--- + runtime/nsd_gtls.c | 22 ++++++++++++++++++---- + runtime/nsd_ossl.c | 24 +++++++++++++++++++----- + 2 files changed, 37 insertions(+), 9 deletions(-) + +diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c +index da549d728..f1dcaf22b 100644 +--- a/runtime/nsd_gtls.c ++++ b/runtime/nsd_gtls.c +@@ -493,7 +493,7 @@ print_info(nsd_gtls_t *pThis) + * rgerhards, 2008-05-08 + */ + static rsRetVal +-GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) ++GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr, const char* prefix) + { + cstr_t *pStr = NULL; + uchar buf[4]; +@@ -501,7 +501,7 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) + DEFiRet; + + CHKiRet(rsCStrConstruct(&pStr)); +- CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*)"SHA1", 4)); ++ CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*) prefix, strlen(prefix))); + for(i = 0 ; i < sizeFingerprint ; ++i) { + snprintf((char*)buf, sizeof(buf), ":%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); +@@ -922,8 +922,11 @@ static rsRetVal + gtlsChkPeerFingerprint(nsd_gtls_t *pThis, gnutls_x509_crt_t *pCert) + { + uchar fingerprint[20]; ++ uchar fingerprintSha256[32]; + size_t size; ++ size_t sizeSha256; + cstr_t *pstrFingerprint = NULL; ++ cstr_t *pstrFingerprintSha256 = NULL; + int bFoundPositiveMatch; + permittedPeers_t *pPeer; + int gnuRet; +@@ -933,17 +936,27 @@ gtlsChkPeerFingerprint(nsd_gtls_t *pThis, gnutls_x509_crt_t *pCert) + + /* obtain the SHA1 fingerprint */ + size = sizeof(fingerprint); ++ sizeSha256 = sizeof(fingerprintSha256); + CHKgnutls(gnutls_x509_crt_get_fingerprint(*pCert, GNUTLS_DIG_SHA1, fingerprint, &size)); +- CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); ++ CHKgnutls(gnutls_x509_crt_get_fingerprint(*pCert, GNUTLS_DIG_SHA256, fingerprintSha256, &sizeSha256)); ++ CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint, "SHA1")); ++ CHKiRet(GenFingerprintStr(fingerprintSha256, sizeSha256, &pstrFingerprintSha256, "SHA256")); + dbgprintf("peer's certificate SHA1 fingerprint: %s\n", cstrGetSzStrNoNULL(pstrFingerprint)); ++ dbgprintf("peer's certificate SHA256 fingerprint: %s\n", cstrGetSzStrNoNULL(pstrFingerprintSha256)); ++ + + /* now search through the permitted peers to see if we can find a permitted one */ + bFoundPositiveMatch = 0; + pPeer = pThis->pPermPeers; + while(pPeer != NULL && !bFoundPositiveMatch) { + if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("gtlsChkPeerFingerprint: peer's certificate SHA1 MATCH found: %s\n", pPeer->pszID); + bFoundPositiveMatch = 1; +- } else { ++ } else if(!rsCStrSzStrCmp(pstrFingerprintSha256 , pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("gtlsChkPeerFingerprint: peer's certificate SHA256 MATCH found: %s\n", pPeer->pszID); ++ bFoundPositiveMatch = 1; ++ } ++ else { + pPeer = pPeer->pNext; + } + } +@@ -2384,3 +2397,4 @@ CODESTARTmodInit + ENDmodInit + /* vi:set ai: + */ ++ +diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c +index 5d8ebd86c..d3eb643f7 100644 +--- a/runtime/nsd_ossl.c ++++ b/runtime/nsd_ossl.c +@@ -387,7 +387,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *a + * rgerhards, 2008-05-08 + */ + static rsRetVal +-GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) ++GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr, const char* prefix) + { + cstr_t *pStr = NULL; + uchar buf[4]; +@@ -395,7 +395,7 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) + DEFiRet; + + CHKiRet(rsCStrConstruct(&pStr)); +- CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*)"SHA1", 4)); ++ CHKiRet(rsCStrAppendStrWithLen(pStr, (uchar*) prefix, strlen(prefix))); + for(i = 0 ; i < sizeFingerprint ; ++i) { + snprintf((char*)buf, sizeof(buf), ":%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); +@@ -613,11 +613,15 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert) + unsigned int n; + uchar *fromHostIP = NULL; + uchar fingerprint[20 /*EVP_MAX_MD_SIZE**/]; ++ uchar fingerprintSha256[32 /*EVP_MAX_MD_SIZE**/]; + size_t size; ++ size_t sizeSha256; + cstr_t *pstrFingerprint = NULL; ++ cstr_t *pstrFingerprintSha256 = NULL; + int bFoundPositiveMatch; + permittedPeers_t *pPeer; + const EVP_MD *fdig = EVP_sha1(); ++ const EVP_MD *fdigSha256 = EVP_sha256(); + + ISOBJ_TYPE_assert(pThis, nsd_ossl); + +@@ -627,17 +631,27 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert) + dbgprintf("osslChkPeerFingerprint: error X509cert is not valid!\n"); + ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); + } +- +- CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); ++ sizeSha256 = sizeof(fingerprintSha256); ++ if (!X509_digest(pCert,fdigSha256,fingerprintSha256,&n)) { ++ dbgprintf("osslChkPeerFingerprint: error X509cert is not valid!\n"); ++ ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); ++ } ++ CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint, "SHA1")); + dbgprintf("osslChkPeerFingerprint: peer's certificate SHA1 fingerprint: %s\n", + cstrGetSzStrNoNULL(pstrFingerprint)); ++ CHKiRet(GenFingerprintStr(fingerprintSha256, sizeSha256, &pstrFingerprintSha256, "SHA256")); ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA256 fingerprint: %s\n", ++ cstrGetSzStrNoNULL(pstrFingerprintSha256)); + + /* now search through the permitted peers to see if we can find a permitted one */ + bFoundPositiveMatch = 0; + pPeer = pThis->pPermPeers; + while(pPeer != NULL && !bFoundPositiveMatch) { + if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) { +- dbgprintf("osslChkPeerFingerprint: peer's certificate MATCH found: %s\n", pPeer->pszID); ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA1 MATCH found: %s\n", pPeer->pszID); ++ bFoundPositiveMatch = 1; ++ } else if(!rsCStrSzStrCmp(pstrFingerprintSha256, pPeer->pszID, strlen((char*) pPeer->pszID))) { ++ dbgprintf("osslChkPeerFingerprint: peer's certificate SHA256 MATCH found: %s\n", pPeer->pszID); + bFoundPositiveMatch = 1; + } else { + dbgprintf("osslChkPeerFingerprint: NOMATCH peer certificate: %s\n", pPeer->pszID); +-- +2.12.3 + diff --git a/rsyslog.spec b/rsyslog.spec index 865576ac32e5850f00194d937dd9831d9328ce9a..d210497c9d05334c93be5ca0428a1b6e922ba1bb 100644 --- a/rsyslog.spec +++ b/rsyslog.spec @@ -7,7 +7,7 @@ Name: rsyslog Version: 8.2110.0 -Release: 15 +Release: 16 Summary: The rocket-fast system for log processing License: (GPLv3+ and ASL 2.0) URL: http://www.rsyslog.com/ @@ -55,6 +55,13 @@ Patch6019: backport-add-test-for-legacy-permittedPeer-statement.patch Patch6020: backport-imtcp-bugfix-legacy-config-directives-did-no-longer-work.patch Patch6021: backport-core-bugfix-template-system-may-generate-invalid-json.patch Patch6022: backport-omprog-bugfix-invalid-status-handling-at-called-prog.patch +Patch6023: backport-OpenSSL-fix-depreacted-API-issues-for-OpenS.patch +Patch6024: backport-MMDBLOOKUP-FIXED-Don-t-crash-Rsyslog-on-mmd.patch +Patch6025: backport-support-sha256-for-StreamDriverAuthMode-x50.patch +Patch6026: backport-imjournal-add-second-fallback-to-_COMM.patch +Patch6027: backport-bugfix-prevent-pot.-segfault-when-switchung.patch +Patch6028: backport-core-bugfix-using-uuid-msg-prop-can-deadloc.patch +Patch6029: backport-GNUTls-Driver-Fix-memory-leaks-in-gtlsInitC.patch BuildRequires: gcc autoconf automake bison dos2unix flex pkgconfig python3-docutils libtool BuildRequires: libgcrypt-devel libuuid-devel zlib-devel krb5-devel libnet-devel gnutls-devel @@ -529,6 +536,18 @@ done %{_mandir}/man1/rscryutil.1.gz %changelog +* Sun Jun 25 2023 linzhuorong - 8.2110.0-16 +- Type:NA +- ID:NA +- SUG:NA +- DESC: OpenSSL: fix depreacted API issues for OpenSSL 3.x + MMDBLOOKUP::FIXED:: Don't crash Rsyslog on mmdb + support sha256 for StreamDriverAuthMode="x509/fingerprint" + imjournal: add second fallback to _COMM + bugfix: prevent pot. segfault when switchung to + core/bugfix: using $uuid msg prop can deadlock rsyslog on shutdown + GNUTls Driver: Fix memory leaks in gtlsInitCred + * Tue Jun 6 2023 zhangqiumiao - 8.2110.0-15 - Type:NA - ID:NA