fluent-plugin-secure-forward 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +3 -2
- data/fluent-plugin-secure-forward.gemspec +1 -1
- data/lib/fluent/plugin/input_session.rb +6 -5
- data/lib/fluent/plugin/output_node.rb +7 -6
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55415b9e94812aef780d83eb0cbb597268440e49
|
|
4
|
+
data.tar.gz: 131d127a374a50390413313255c48ad9842d4174
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 77c5921e2bfa43fd48a0080de09ccebc28f2f76b218efa1f8b53e09b32b8d1aed9ce4dbbf77ebb713df7c8375a231ea0a426d77b5c4843ae8e954ba8b19abb90
|
|
7
|
+
data.tar.gz: d09d5754ed1dded8392ee0674249ea9c1d04fd5f49d66f823539fc3e1b974eb6b9e108439f1337431e51222477a8313eaa49d892ff89079398faa7a1f7fc2833
|
data/README.md
CHANGED
|
@@ -396,17 +396,18 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
|
|
|
396
396
|
3. (server) send HELO
|
|
397
397
|
* ['HELO', options(hash)]
|
|
398
398
|
* options:
|
|
399
|
+
* nonce: string as nonce: used for shared key digest (required, v0.3.2 or later)
|
|
399
400
|
* auth: string or blank\_string (string: authentication required, and its salt is this value)
|
|
400
401
|
* keepalive: bool (allowed or not)
|
|
401
402
|
4. (client) send PING
|
|
402
|
-
* ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
403
|
+
* ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + nonce + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
403
404
|
5. (server) check PING
|
|
404
405
|
* check sharedkey
|
|
405
406
|
* check username / password (if required)
|
|
406
407
|
* send PONG FAILURE if failed
|
|
407
408
|
* ['PONG', false, 'reason of authentication failure', '', '']
|
|
408
409
|
6. (server) send PONG
|
|
409
|
-
* ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + sharedkey)]
|
|
410
|
+
* ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + nonce + sharedkey)]
|
|
410
411
|
7. (client) check PONG
|
|
411
412
|
* check sharedkey
|
|
412
413
|
* disconnect when failed
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
|
4
|
-
gem.version = "0.3.
|
|
4
|
+
gem.version = "0.3.2"
|
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
|
@@ -62,12 +62,12 @@ class Fluent::SecureForwardInput::Session
|
|
|
62
62
|
def generate_helo
|
|
63
63
|
log.debug "generating helo"
|
|
64
64
|
# ['HELO', options(hash)]
|
|
65
|
-
[ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
|
|
65
|
+
[ 'HELO', {'nonce' => @shared_key_nonce, 'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
def check_ping(message)
|
|
69
69
|
log.debug "checking ping"
|
|
70
|
-
# ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
|
|
70
|
+
# ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + nonce + shared_key),
|
|
71
71
|
# username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
72
72
|
unless message.size == 6 && message[0] == 'PING'
|
|
73
73
|
return false, 'invalid ping message'
|
|
@@ -79,7 +79,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
79
79
|
else
|
|
80
80
|
@receiver.shared_key
|
|
81
81
|
end
|
|
82
|
-
serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
|
|
82
|
+
serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(@shared_key_nonce).update(shared_key).hexdigest
|
|
83
83
|
if shared_key_hexdigest != serverside
|
|
84
84
|
log.warn "Shared key mismatch from '#{hostname}'"
|
|
85
85
|
return false, 'shared_key mismatch'
|
|
@@ -104,7 +104,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
104
104
|
def generate_pong(auth_result, reason_or_salt)
|
|
105
105
|
log.debug "generating pong"
|
|
106
106
|
# ['PONG', bool(authentication result), 'reason if authentication failed',
|
|
107
|
-
# self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
|
|
107
|
+
# self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
|
|
108
108
|
if not auth_result
|
|
109
109
|
return ['PONG', false, reason_or_salt, '', '']
|
|
110
110
|
end
|
|
@@ -114,7 +114,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
114
114
|
else
|
|
115
115
|
@receiver.shared_key
|
|
116
116
|
end
|
|
117
|
-
shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
|
|
117
|
+
shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(@shared_key_nonce).update(shared_key).hexdigest
|
|
118
118
|
[ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
|
|
119
119
|
end
|
|
120
120
|
|
|
@@ -164,6 +164,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
164
164
|
return
|
|
165
165
|
end
|
|
166
166
|
|
|
167
|
+
@shared_key_nonce = generate_salt
|
|
167
168
|
@auth_key_salt = generate_salt
|
|
168
169
|
|
|
169
170
|
buf = ''
|
|
@@ -130,6 +130,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
130
130
|
return false
|
|
131
131
|
end
|
|
132
132
|
opts = message[1]
|
|
133
|
+
@shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
|
|
133
134
|
@authentication = opts['auth']
|
|
134
135
|
@allow_keepalive = opts['keepalive']
|
|
135
136
|
true
|
|
@@ -137,9 +138,9 @@ class Fluent::SecureForwardOutput::Node
|
|
|
137
138
|
|
|
138
139
|
def generate_ping
|
|
139
140
|
log.debug "generating ping"
|
|
140
|
-
# ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
|
|
141
|
+
# ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + nonce + shared_key),
|
|
141
142
|
# username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
142
|
-
shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
|
|
143
|
+
shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
|
|
143
144
|
ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
|
|
144
145
|
if @authentication != ''
|
|
145
146
|
password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
|
|
@@ -153,7 +154,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
153
154
|
def check_pong(message)
|
|
154
155
|
log.debug "checking pong"
|
|
155
156
|
# ['PONG', bool(authentication result), 'reason if authentication failed',
|
|
156
|
-
# self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
|
|
157
|
+
# self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
|
|
157
158
|
unless message.size == 5 && message[0] == 'PONG'
|
|
158
159
|
return false, 'invalid format for PONG message'
|
|
159
160
|
end
|
|
@@ -167,7 +168,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
167
168
|
return false, 'same hostname between input and output: invalid configuration'
|
|
168
169
|
end
|
|
169
170
|
|
|
170
|
-
clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
|
|
171
|
+
clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
|
|
171
172
|
unless shared_key_hexdigest == clientside
|
|
172
173
|
return false, 'shared key mismatch'
|
|
173
174
|
end
|
|
@@ -253,9 +254,9 @@ class Fluent::SecureForwardOutput::Node
|
|
|
253
254
|
log.trace "set verify_mode VERIFY_PEER"
|
|
254
255
|
context.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
255
256
|
if @sender.enable_strict_verification
|
|
256
|
-
context.
|
|
257
|
+
context.cert_store = OpenSSL::X509::Store.new
|
|
257
258
|
begin
|
|
258
|
-
context.
|
|
259
|
+
context.cert_store.set_default_paths
|
|
259
260
|
rescue OpenSSL::X509::StoreError => e
|
|
260
261
|
log.warn "faild to load system default certificates", error: e
|
|
261
262
|
end
|