isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,419 Commits 1 Branch 0 Tags
45fdfa18f1d46a1d6171a8f94f0fa9396b51de20
Commit Graph

169 Commits

Author SHA1 Message Date
Todd C. Miller
1f8da42f9a Warn about tls errors during startup so the user has a clue. 
We write messages to stderr until we become a daemon.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
e5f8214c0a Remove the tls parameter from the ServerHello message. 
The TLS connection is now initiated before ServerHello is received.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
1659d96c55 Use port 30343 for plaintext and port 30344 for TLS. 
For TLS connections we now do the TLS handshake immediately before
the ServerHello message.  This lets the client recieve an alert
from the server is there is a handshake error after the TLS connect
has succeeded.  It also means that the contents of the ServerHello
are protected from a man-in-the-middle attack.
 2020-05-05 13:23:26 -06:00
Todd C. Miller
2ab8f2a732 Check for tls_config->dhparams_path being non-NULL before using it. 2020-04-28 10:52:08 -06:00
Laszlo Orban
481427f9f0 add missing shudown of TLS connection 2020-04-17 07:00:19 -06:00
Todd C. Miller
ce92674cc2 Reload sudo.conf upon SIGUP 
This makes it possible to update the Debug settings in sudo.conf and
have them take effect on reload.
 2020-04-08 10:19:55 -06:00
Todd C. Miller
69b6783be6 Store the result of ERR_get_error() so we can use it for both warn and debug. 
Otherwise, only the debug framework gets the actual error and the
user won't see the problem.
 2020-04-08 09:26:41 -06:00
Todd C. Miller
18ff60f6ff Disable IPv4-mapped IPv6 addresses in the listener. 
Also store the host + port string and use it in error messages.
 2020-04-08 08:54:28 -06:00
Todd C. Miller
e86106f2e1 Create the pid file parent directory if it doesn't already exist. 
Also package the run directory in the sudo_logsrvd PolyPkg file.
 2020-04-07 19:26:37 -06:00
Todd C. Miller
c122e9bf62 Write process ID as an unsigned int (with a cast). 
On Solaris, pid_t may be typedef'd as a long but the actual range
is 32 bits at most.
 2020-03-29 09:11:57 -06:00
Todd C. Miller
f908ddd1bf Create a pidfile for sudo_logsrvd when not run with the -n flag. 2020-03-29 05:05:08 -06:00
Todd C. Miller
1b90f65609 sudo_logsrvd now exits with an error if it cannot open any listen sockets. 2020-03-29 05:05:08 -06:00
Todd C. Miller
5034ea91be Some new source files got created with my old email address. 2020-03-29 05:05:08 -06:00
Todd C. Miller
84d9c7b241 Add configure check for SSL_CTX_get0_certificate(). 
Dummy out verify_server_cert() if it is not present to allow building
on older OpenSSL versions.  Rewriting this to work with old OpenSSL
is not worth the trouble.
 2020-03-17 20:07:48 -06:00
Todd C. Miller
b308b63b50 Fix potential use-after-free; Coverity CID 208814 2020-03-11 19:28:36 -06:00
Todd C. Miller
f561e2cafe Store the event base in the client closure. 
Explicitly passing the event base removes the need to set a default base.
 2020-03-01 13:36:59 -07:00
Todd C. Miller
a0c2de4cef Re-register listeners on SIGHUP. 
Previously, a config reload would refresh the listener address list
but the changes had no effect on the actual addresses being listened on.
 2020-02-18 13:13:03 -07:00
Todd C. Miller
adb3bdf6dd Fix compilation error when not built with OpenSSL support. 
Adds a missing #ifdef HAVE_OPENSSL and reorders code to avoid the
need for a static init_tls_server_context() prototype.
 2020-02-18 10:35:30 -07:00
Todd C. Miller
5781a6a4cf Add support for JSON logging in sudo_logsrvd. 2020-02-17 16:10:56 -07:00
Todd C. Miller
25542216fe Fix support for reloading the config in sudo_logsrvd. 
We need to re-initialize the TLS server context.
Also fix a memory leak of the TLS parameters on reload.
 2020-02-17 15:01:38 -07:00
Todd C. Miller
ac61b5655d Use EXIT_SUCCESS and EXIT_FAILURE more consistently. 2020-02-08 12:43:00 -07:00
Todd C. Miller
589adfee2d Only keepalive if accept() succeeded; coverity CID 207990 2020-02-07 12:54:53 -07:00
Laszlo Orban
24c9438486 logserver option to disable certificate verification on server side and server authentication on client side 2020-01-23 10:12:12 -07:00
Laszlo Orban
9935a7e2ff Rename tls_checkpeer to tls_reqcert in ServerHello message 2020-01-23 10:12:12 -07:00
Laszlo Orban
38160d0ccb logserver: enable/disable SO_KEEPALIVE socket option based on tcp_keepalive configuration option in sudo_logsrvd.conf 2020-01-22 10:52:18 -07:00
Todd C. Miller
dde86e585f Add support for building on OpenSSL 1.0.2. 
This adds compatibility defines for some OpenSSL 1.1.x functions.
 2020-01-21 13:27:40 -07:00
Todd C. Miller
c3bd025052 Store the server host name and IP in client_closure_fill(). 
Also check for getpeername() and inet_ntop() failure.
 2020-01-20 14:03:41 -07:00
Todd C. Miller
2d91555e85 Fix handling of SSL_ERROR_WANT_{READ,WRITE} during normal I/O. 
If we get SSL_ERROR_WANT_WRITE during SSL_read(), we need to resume
the SSL_read(), not call SSL_write() as we were doing.  Likewise
for SSL_ERROR_WANT_READ received from SSL_write().
This introduces a flag so we call the proper callback even when
the I/O direction doesn't match the read/write calls.
 2020-01-20 12:42:39 -07:00
Todd C. Miller
47d9504716 Add debugging statements to certificate checks. 2020-01-18 12:57:24 -07:00
Laszlo Orban
829fb9db84 do client identity validation in logserver 2020-01-18 05:49:54 -07:00
Todd C. Miller
9b12b21eaa Fix TLS accept when SSL_accept() returns SSL_ERROR_WANT_WRITE. 
We need to switch from SUDO_EV_READ to SUDO_EV_WRITE for this case.
 2020-01-16 17:37:46 -07:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Laszlo Orban
5e36cc655c cert files can contain the full chain of trust, so load all certs in every case for verification 2019-12-06 11:17:12 +01:00
Laszlo Orban
1dceb8bbb8 add default values for cert paths 2019-12-04 14:18:24 +01:00
Laszlo Orban
f5e0e2a4bb Merge pull request #11 from sudo-project/audit-server-tls-async 
Sudo audit Server - TLS protocol update
 2019-11-27 08:29:19 +01:00
Laszlo Orban
06a0f89704 disable timeout for the reader after ServerHello message 2019-11-26 14:07:56 +01:00
Laszlo Orban
21e7fdfd55 use event timeout instead of socket timeout 2019-11-26 08:36:02 +01:00
Todd C. Miller
1747e50090 Exit if the first call to logsrvd_conf_read() fails. 
It is not fatal if subsequent calls fail (due to SIGHUP) since we
keep a copy of the old config before installing the new one.
 2019-11-25 13:38:22 -07:00
Laszlo Orban
f67d0d13cf ServerHello message is now unencrypted, TLS communication has been refactored to full async 2019-11-22 11:11:55 +01:00
Laszlo Orban
33f6a16764 extend ServerHello message with two fields (tls, tls_checkpeer) 2019-11-22 11:11:55 +01:00
Todd C. Miller
810669c4f0 Check closure->ssl for non-NULL instead of logsrvd_conf_get_tls_opt(). 
It's a little more obvious this way and ssl is only non-NULL when the
tls option is enabled anyway.
 2019-11-17 08:06:37 -07:00
Todd C. Miller
5be951bd79 Init iolog_dir_fd and sock in connection_closure before adding to list. 
Otherwise we could close the wrong fds in the error path.
 2019-11-17 08:02:20 -07:00
Todd C. Miller
690f145d3f LibreSSL and older OpenSSL don't support SSL_CTX_set_ciphersuites(). 
Add a configure test and skip TLS 1.3 setup if it is missing.
We still accept the tls_ciphers13 config setting but it will be ignored.
 2019-11-15 13:19:28 -07:00
Todd C. Miller
68480b0959 Minor style nits that I missed during review. 2019-11-15 12:48:42 -07:00
Laszlo Orban
b9641816d6 set timeout value for the socket 2019-11-15 09:52:48 +01:00
Laszlo Orban
e201f104d4 make audit server openssl dependency optional; tls layer is compiled only if sudo is built with --enable-openssl feature switch 2019-11-15 09:52:48 +01:00
Laszlo Orban
9df5e6c11d fixed segfault when connection_closure_free() tries to remove a non-existent connection object from the list 2019-11-15 09:52:48 +01:00
Laszlo Orban
764fb3e6bd verify server/client certs with CA certificate chain file 2019-11-15 09:52:48 +01:00
Laszlo Orban
037fb9298e fix copy-paste mistake 2019-11-15 09:52:48 +01:00
Laszlo Orban
3615576481 process tls config params in the audit server and establish TLS connection accordingly 2019-11-15 09:52:48 +01:00