fluent-plugin-secure-forward 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -2
- data/fluent-plugin-secure-forward.gemspec +1 -1
- data/lib/fluent/plugin/input_session.rb +6 -5
- data/lib/fluent/plugin/output_node.rb +7 -6
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55415b9e94812aef780d83eb0cbb597268440e49
|
|
4
|
+
data.tar.gz: 131d127a374a50390413313255c48ad9842d4174
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 77c5921e2bfa43fd48a0080de09ccebc28f2f76b218efa1f8b53e09b32b8d1aed9ce4dbbf77ebb713df7c8375a231ea0a426d77b5c4843ae8e954ba8b19abb90
|
|
7
|
+
data.tar.gz: d09d5754ed1dded8392ee0674249ea9c1d04fd5f49d66f823539fc3e1b974eb6b9e108439f1337431e51222477a8313eaa49d892ff89079398faa7a1f7fc2833
|
data/README.md
CHANGED
|
@@ -396,17 +396,18 @@ To specify keepalive timeouts, use `keepalive` configuration with seconds. SSL c
|
|
|
396
396
|
3. (server) send HELO
|
|
397
397
|
* ['HELO', options(hash)]
|
|
398
398
|
* options:
|
|
399
|
+
* nonce: string as nonce: used for shared key digest (required, v0.3.2 or later)
|
|
399
400
|
* auth: string or blank\_string (string: authentication required, and its salt is this value)
|
|
400
401
|
* keepalive: bool (allowed or not)
|
|
401
402
|
4. (client) send PING
|
|
402
|
-
* ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
403
|
+
* ['PING', selfhostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + selfhostname + nonce + sharedkey), username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
403
404
|
5. (server) check PING
|
|
404
405
|
* check sharedkey
|
|
405
406
|
* check username / password (if required)
|
|
406
407
|
* send PONG FAILURE if failed
|
|
407
408
|
* ['PONG', false, 'reason of authentication failure', '', '']
|
|
408
409
|
6. (server) send PONG
|
|
409
|
-
* ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + sharedkey)]
|
|
410
|
+
* ['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512\_hex(salt + selfhostname + nonce + sharedkey)]
|
|
410
411
|
7. (client) check PONG
|
|
411
412
|
* check sharedkey
|
|
412
413
|
* disconnect when failed
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
|
2
2
|
Gem::Specification.new do |gem|
|
|
3
3
|
gem.name = "fluent-plugin-secure-forward"
|
|
4
|
-
gem.version = "0.3.
|
|
4
|
+
gem.version = "0.3.2"
|
|
5
5
|
gem.authors = ["TAGOMORI Satoshi"]
|
|
6
6
|
gem.email = ["tagomoris@gmail.com"]
|
|
7
7
|
gem.summary = %q{Fluentd input/output plugin to forward over SSL with authentications}
|
|
@@ -62,12 +62,12 @@ class Fluent::SecureForwardInput::Session
|
|
|
62
62
|
def generate_helo
|
|
63
63
|
log.debug "generating helo"
|
|
64
64
|
# ['HELO', options(hash)]
|
|
65
|
-
[ 'HELO', {'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
|
|
65
|
+
[ 'HELO', {'nonce' => @shared_key_nonce, 'auth' => (@receiver.authentication ? @auth_key_salt : ''), 'keepalive' => @receiver.allow_keepalive } ]
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
def check_ping(message)
|
|
69
69
|
log.debug "checking ping"
|
|
70
|
-
# ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + shared_key),
|
|
70
|
+
# ['PING', self_hostname, shared_key\_salt, sha512\_hex(shared_key\_salt + self_hostname + nonce + shared_key),
|
|
71
71
|
# username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
72
72
|
unless message.size == 6 && message[0] == 'PING'
|
|
73
73
|
return false, 'invalid ping message'
|
|
@@ -79,7 +79,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
79
79
|
else
|
|
80
80
|
@receiver.shared_key
|
|
81
81
|
end
|
|
82
|
-
serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(shared_key).hexdigest
|
|
82
|
+
serverside = Digest::SHA512.new.update(shared_key_salt).update(hostname).update(@shared_key_nonce).update(shared_key).hexdigest
|
|
83
83
|
if shared_key_hexdigest != serverside
|
|
84
84
|
log.warn "Shared key mismatch from '#{hostname}'"
|
|
85
85
|
return false, 'shared_key mismatch'
|
|
@@ -104,7 +104,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
104
104
|
def generate_pong(auth_result, reason_or_salt)
|
|
105
105
|
log.debug "generating pong"
|
|
106
106
|
# ['PONG', bool(authentication result), 'reason if authentication failed',
|
|
107
|
-
# self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
|
|
107
|
+
# self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
|
|
108
108
|
if not auth_result
|
|
109
109
|
return ['PONG', false, reason_or_salt, '', '']
|
|
110
110
|
end
|
|
@@ -114,7 +114,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
114
114
|
else
|
|
115
115
|
@receiver.shared_key
|
|
116
116
|
end
|
|
117
|
-
shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(shared_key).hexdigest
|
|
117
|
+
shared_key_hex = Digest::SHA512.new.update(reason_or_salt).update(@receiver.self_hostname).update(@shared_key_nonce).update(shared_key).hexdigest
|
|
118
118
|
[ 'PONG', true, '', @receiver.self_hostname, shared_key_hex ]
|
|
119
119
|
end
|
|
120
120
|
|
|
@@ -164,6 +164,7 @@ class Fluent::SecureForwardInput::Session
|
|
|
164
164
|
return
|
|
165
165
|
end
|
|
166
166
|
|
|
167
|
+
@shared_key_nonce = generate_salt
|
|
167
168
|
@auth_key_salt = generate_salt
|
|
168
169
|
|
|
169
170
|
buf = ''
|
|
@@ -130,6 +130,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
130
130
|
return false
|
|
131
131
|
end
|
|
132
132
|
opts = message[1]
|
|
133
|
+
@shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
|
|
133
134
|
@authentication = opts['auth']
|
|
134
135
|
@allow_keepalive = opts['keepalive']
|
|
135
136
|
true
|
|
@@ -137,9 +138,9 @@ class Fluent::SecureForwardOutput::Node
|
|
|
137
138
|
|
|
138
139
|
def generate_ping
|
|
139
140
|
log.debug "generating ping"
|
|
140
|
-
# ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
|
|
141
|
+
# ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + nonce + shared_key),
|
|
141
142
|
# username || '', sha512\_hex(auth\_salt + username + password) || '']
|
|
142
|
-
shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
|
|
143
|
+
shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
|
|
143
144
|
ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
|
|
144
145
|
if @authentication != ''
|
|
145
146
|
password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
|
|
@@ -153,7 +154,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
153
154
|
def check_pong(message)
|
|
154
155
|
log.debug "checking pong"
|
|
155
156
|
# ['PONG', bool(authentication result), 'reason if authentication failed',
|
|
156
|
-
# self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
|
|
157
|
+
# self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
|
|
157
158
|
unless message.size == 5 && message[0] == 'PONG'
|
|
158
159
|
return false, 'invalid format for PONG message'
|
|
159
160
|
end
|
|
@@ -167,7 +168,7 @@ class Fluent::SecureForwardOutput::Node
|
|
|
167
168
|
return false, 'same hostname between input and output: invalid configuration'
|
|
168
169
|
end
|
|
169
170
|
|
|
170
|
-
clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
|
|
171
|
+
clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
|
|
171
172
|
unless shared_key_hexdigest == clientside
|
|
172
173
|
return false, 'shared key mismatch'
|
|
173
174
|
end
|
|
@@ -253,9 +254,9 @@ class Fluent::SecureForwardOutput::Node
|
|
|
253
254
|
log.trace "set verify_mode VERIFY_PEER"
|
|
254
255
|
context.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
255
256
|
if @sender.enable_strict_verification
|
|
256
|
-
context.
|
|
257
|
+
context.cert_store = OpenSSL::X509::Store.new
|
|
257
258
|
begin
|
|
258
|
-
context.
|
|
259
|
+
context.cert_store.set_default_paths
|
|
259
260
|
rescue OpenSSL::X509::StoreError => e
|
|
260
261
|
log.warn "faild to load system default certificates", error: e
|
|
261
262
|
end
|