From 2145c978917b5217280e21b6fbaaeeb4c725f99b Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Sat, 20 Oct 2018 19:01:26 +0200 Subject: [PATCH 1/4] tlscontext: compression setting function made to public Signed-off-by: Antal Nemes --- lib/tlscontext.c | 13 +++++++++++++ lib/tlscontext.h | 1 + lib/transport/transport-factory-tls.c | 16 ++-------------- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/lib/tlscontext.c b/lib/tlscontext.c index c8ca8054c39..f735ec7b7fc 100644 --- a/lib/tlscontext.c +++ b/lib/tlscontext.c @@ -66,6 +66,19 @@ typedef enum TLS_CONTEXT_PASSWORD_ERROR } TLSContextLoadResult; +void +tls_session_configure_allow_compress(TLSSession *tls_session, gboolean allow_compress) +{ + if (allow_compress) + { + SSL_clear_options(tls_session->ssl, SSL_OP_NO_COMPRESSION); + } + else + { + SSL_set_options(tls_session->ssl, SSL_OP_NO_COMPRESSION); + } +} + gboolean tls_get_x509_digest(X509 *x, GString *hash_string) { diff --git a/lib/tlscontext.h b/lib/tlscontext.h index 0c201d789a4..8bb8e86f33d 100644 --- a/lib/tlscontext.h +++ b/lib/tlscontext.h @@ -108,6 +108,7 @@ TLSVerifier *tls_verifier_ref(TLSVerifier *self); void tls_verifier_unref(TLSVerifier *self); +void tls_session_configure_allow_compress(TLSSession *tls_session, gboolean allow_compress); gboolean tls_context_set_verify_mode_by_name(TLSContext *self, const gchar *mode_str); gboolean tls_context_set_ssl_options_by_name(TLSContext *self, GList *options); gint tls_context_get_verify_mode(const TLSContext *self); diff --git a/lib/transport/transport-factory-tls.c b/lib/transport/transport-factory-tls.c index 896d923ac03..c6558be52e0 100644 --- a/lib/transport/transport-factory-tls.c +++ b/lib/transport/transport-factory-tls.c @@ -22,24 +22,12 @@ * */ +#include "tlscontext.h" #include "transport/transport-factory-tls.h" #include "transport/transport-tls.h" DEFINE_TRANSPORT_FACTORY_ID_FUN("tls", transport_factory_tls_id); -static void -_tls_session_allow_compress(TLSSession *tls_session, gboolean allow_compress) -{ - if (!allow_compress) - { - SSL_set_options(tls_session->ssl, SSL_OP_NO_COMPRESSION); - } - else - { - SSL_clear_options(tls_session->ssl, SSL_OP_NO_COMPRESSION); - } -} - static LogTransport * _construct_transport(const TransportFactory *s, gint fd) { @@ -49,7 +37,7 @@ _construct_transport(const TransportFactory *s, gint fd) if (!tls_session) return NULL; - _tls_session_allow_compress(tls_session, self->allow_compress); + tls_session_configure_allow_compress(tls_session, self->allow_compress); tls_session_set_verifier(tls_session, self->tls_verifier); From e3d5490f63700e883c953115906d70eb2ae55291 Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Sat, 20 Oct 2018 19:02:21 +0200 Subject: [PATCH 2/4] tls: port allow_compress option Signed-off-by: Antal Nemes --- modules/afsocket/afsocket-grammar.ym | 5 +++++ modules/afsocket/afsocket-parser.c | 1 + modules/afsocket/transport-mapper-inet.c | 1 + modules/afsocket/transport-mapper-inet.h | 8 ++++++++ 4 files changed, 15 insertions(+) diff --git a/modules/afsocket/afsocket-grammar.ym b/modules/afsocket/afsocket-grammar.ym index 78b04aca420..577f1f9a54b 100644 --- a/modules/afsocket/afsocket-grammar.ym +++ b/modules/afsocket/afsocket-grammar.ym @@ -182,6 +182,7 @@ systemd_syslog_grammar_set_source_driver(SystemDSyslogSourceDriver *sd) %token KW_CIPHER_SUITE %token KW_ECDH_CURVE_LIST %token KW_SSL_OPTIONS +%token KW_ALLOW_COMPRESS /* INCLUDE_DECLS */ @@ -817,6 +818,10 @@ tls_option CHECK_ERROR(tls_context_set_ssl_options_by_name(last_tls_context, $3), @3, "unknown ssl-options() argument"); } + | KW_ALLOW_COMPRESS '(' yesno ')' + { + transport_mapper_inet_set_allow_compress(last_transport_mapper, $3); + } | KW_ENDIF { } ; diff --git a/modules/afsocket/afsocket-parser.c b/modules/afsocket/afsocket-parser.c index 11843771486..74235d643ec 100644 --- a/modules/afsocket/afsocket-parser.c +++ b/modules/afsocket/afsocket-parser.c @@ -57,6 +57,7 @@ static CfgLexerKeyword afsocket_keywords[] = { "ecdh_curve_list", KW_ECDH_CURVE_LIST }, { "curve_list", KW_ECDH_CURVE_LIST, KWS_OBSOLETE, "ecdh_curve_list"}, { "ssl_options", KW_SSL_OPTIONS }, + { "allow_compress", KW_ALLOW_COMPRESS }, { "localip", KW_LOCALIP }, { "ip", KW_IP }, diff --git a/modules/afsocket/transport-mapper-inet.c b/modules/afsocket/transport-mapper-inet.c index 7b28a3b886d..242017354d4 100644 --- a/modules/afsocket/transport-mapper-inet.c +++ b/modules/afsocket/transport-mapper-inet.c @@ -101,6 +101,7 @@ _construct_tls_transport(TransportMapperInet *self, gint fd) if (!tls_session) return NULL; + tls_session_configure_allow_compress(tls_session, self->allow_compress); tls_session_set_verifier(tls_session, self->tls_verifier); return log_transport_tls_new(tls_session, fd); diff --git a/modules/afsocket/transport-mapper-inet.h b/modules/afsocket/transport-mapper-inet.h index 185ffb39498..b8243c29727 100644 --- a/modules/afsocket/transport-mapper-inet.h +++ b/modules/afsocket/transport-mapper-inet.h @@ -32,6 +32,7 @@ typedef struct _TransportMapperInet gint server_port; const gchar *server_port_change_warning; + gboolean allow_compress; gboolean require_tls; gboolean allow_tls; gboolean require_tls_when_has_tls_context; @@ -40,6 +41,13 @@ typedef struct _TransportMapperInet gpointer secret_store_cb_data; } TransportMapperInet; +static inline void +transport_mapper_inet_set_allow_compress(TransportMapper *s, gboolean value) +{ + TransportMapperInet *self = (TransportMapperInet *) s; + self->allow_compress = value; +} + static inline gint transport_mapper_inet_get_server_port(const TransportMapper *self) { From 9edf65aea175df41db98318a3704fa60abb965d3 Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Tue, 30 Oct 2018 13:57:00 +0100 Subject: [PATCH 3/4] transport-factory-tls: also needs to use allow compress Signed-off-by: Antal Nemes --- lib/transport/transport-factory-tls.c | 7 ++++++- lib/transport/transport-factory-tls.h | 2 +- modules/afsocket/transport-mapper-inet.c | 5 +++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/transport/transport-factory-tls.c b/lib/transport/transport-factory-tls.c index c6558be52e0..4f773455491 100644 --- a/lib/transport/transport-factory-tls.c +++ b/lib/transport/transport-factory-tls.c @@ -68,7 +68,7 @@ _free(TransportFactory *s) } TransportFactory * -transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier) +transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, gboolean allow_compress) { TransportFactoryTLS *instance = g_new0(TransportFactoryTLS, 1); @@ -79,5 +79,10 @@ transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier) instance->super.construct_transport = _construct_transport; instance->super.free_fn = _free; + if (allow_compress) + transport_factory_tls_enable_compression((TransportFactory *)instance); + else + transport_factory_tls_disable_compression((TransportFactory *)instance); + return &instance->super; } diff --git a/lib/transport/transport-factory-tls.h b/lib/transport/transport-factory-tls.h index e619dbc5b61..345d6d3c269 100644 --- a/lib/transport/transport-factory-tls.h +++ b/lib/transport/transport-factory-tls.h @@ -38,7 +38,7 @@ struct _TransportFactoryTLS gboolean allow_compress; }; -TransportFactory *transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier); +TransportFactory *transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, gboolean allow_compress); void transport_factory_tls_enable_compression(TransportFactory *); void transport_factory_tls_disable_compression(TransportFactory *); diff --git a/modules/afsocket/transport-mapper-inet.c b/modules/afsocket/transport-mapper-inet.c index 242017354d4..499e695ece7 100644 --- a/modules/afsocket/transport-mapper-inet.c +++ b/modules/afsocket/transport-mapper-inet.c @@ -87,7 +87,8 @@ transport_mapper_inet_apply_transport_method(TransportMapper *s, GlobalConfig *c static LogTransport * _construct_multitransport_with_tls_factory(TransportMapperInet *self, gint fd) { - TransportFactory *default_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier); + TransportFactory *default_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, + self->allow_compress); return multitransport_new(default_factory, fd); } @@ -120,7 +121,7 @@ _construct_multitransport_with_plain_and_tls_factories(TransportMapperInet *self { LogTransport *transport = _construct_multitransport_with_plain_tcp_factory(self, fd); - TransportFactory *tls_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier); + TransportFactory *tls_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, self->allow_compress); multitransport_add_factory((MultiTransport *)transport, tls_factory); return transport; From df34bd57a9c542f42d69e9a4eec47ad7ac3cadeb Mon Sep 17 00:00:00 2001 From: Antal Nemes Date: Tue, 27 Nov 2018 16:31:44 +0100 Subject: [PATCH 4/4] refactor: turn allow_compress into flag instead of gboolean Signed-off-by: Antal Nemes --- lib/tlscontext.h | 2 ++ lib/transport/transport-factory-tls.c | 4 ++-- lib/transport/transport-factory-tls.h | 2 +- modules/afsocket/transport-mapper-inet.c | 7 +++---- modules/afsocket/transport-mapper-inet.h | 7 +++++-- 5 files changed, 13 insertions(+), 9 deletions(-) diff --git a/lib/tlscontext.h b/lib/tlscontext.h index 8bb8e86f33d..21feacf7d39 100644 --- a/lib/tlscontext.h +++ b/lib/tlscontext.h @@ -91,6 +91,8 @@ typedef struct _TLSSession } peer_info; } TLSSession; +#define TMI_ALLOW_COMPRESS 0x1 + void tls_session_set_verifier(TLSSession *self, TLSVerifier *verifier); void tls_session_free(TLSSession *self); diff --git a/lib/transport/transport-factory-tls.c b/lib/transport/transport-factory-tls.c index 4f773455491..6a174eed0d9 100644 --- a/lib/transport/transport-factory-tls.c +++ b/lib/transport/transport-factory-tls.c @@ -68,7 +68,7 @@ _free(TransportFactory *s) } TransportFactory * -transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, gboolean allow_compress) +transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, guint32 flags) { TransportFactoryTLS *instance = g_new0(TransportFactoryTLS, 1); @@ -79,7 +79,7 @@ transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, gboolean a instance->super.construct_transport = _construct_transport; instance->super.free_fn = _free; - if (allow_compress) + if (flags & TMI_ALLOW_COMPRESS) transport_factory_tls_enable_compression((TransportFactory *)instance); else transport_factory_tls_disable_compression((TransportFactory *)instance); diff --git a/lib/transport/transport-factory-tls.h b/lib/transport/transport-factory-tls.h index 345d6d3c269..f4ecbc1f090 100644 --- a/lib/transport/transport-factory-tls.h +++ b/lib/transport/transport-factory-tls.h @@ -38,7 +38,7 @@ struct _TransportFactoryTLS gboolean allow_compress; }; -TransportFactory *transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, gboolean allow_compress); +TransportFactory *transport_factory_tls_new(TLSContext *ctx, TLSVerifier *tls_verifier, guint32 flags); void transport_factory_tls_enable_compression(TransportFactory *); void transport_factory_tls_disable_compression(TransportFactory *); diff --git a/modules/afsocket/transport-mapper-inet.c b/modules/afsocket/transport-mapper-inet.c index 499e695ece7..d9fc837ad46 100644 --- a/modules/afsocket/transport-mapper-inet.c +++ b/modules/afsocket/transport-mapper-inet.c @@ -87,8 +87,7 @@ transport_mapper_inet_apply_transport_method(TransportMapper *s, GlobalConfig *c static LogTransport * _construct_multitransport_with_tls_factory(TransportMapperInet *self, gint fd) { - TransportFactory *default_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, - self->allow_compress); + TransportFactory *default_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, self->flags); return multitransport_new(default_factory, fd); } @@ -102,7 +101,7 @@ _construct_tls_transport(TransportMapperInet *self, gint fd) if (!tls_session) return NULL; - tls_session_configure_allow_compress(tls_session, self->allow_compress); + tls_session_configure_allow_compress(tls_session, self->flags & TMI_ALLOW_COMPRESS); tls_session_set_verifier(tls_session, self->tls_verifier); return log_transport_tls_new(tls_session, fd); @@ -121,7 +120,7 @@ _construct_multitransport_with_plain_and_tls_factories(TransportMapperInet *self { LogTransport *transport = _construct_multitransport_with_plain_tcp_factory(self, fd); - TransportFactory *tls_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, self->allow_compress); + TransportFactory *tls_factory = transport_factory_tls_new(self->tls_context, self->tls_verifier, self->flags); multitransport_add_factory((MultiTransport *)transport, tls_factory); return transport; diff --git a/modules/afsocket/transport-mapper-inet.h b/modules/afsocket/transport-mapper-inet.h index b8243c29727..031731817a6 100644 --- a/modules/afsocket/transport-mapper-inet.h +++ b/modules/afsocket/transport-mapper-inet.h @@ -32,7 +32,7 @@ typedef struct _TransportMapperInet gint server_port; const gchar *server_port_change_warning; - gboolean allow_compress; + guint32 flags; gboolean require_tls; gboolean allow_tls; gboolean require_tls_when_has_tls_context; @@ -45,7 +45,10 @@ static inline void transport_mapper_inet_set_allow_compress(TransportMapper *s, gboolean value) { TransportMapperInet *self = (TransportMapperInet *) s; - self->allow_compress = value; + if (value) + self->flags |= TMI_ALLOW_COMPRESS; + else + self->flags &= ~TMI_ALLOW_COMPRESS; } static inline gint