Merge pull request #3453 from PascalWithopf/i-2611

tcpflood: add new transport option relp-tls
2025-12-18 14:30:41 +01:00 · 2019-02-18 09:28:35 +01:00 · 2019-02-18 09:28:35 +01:00 · 260b3afca7
commit 260b3afca7
parent bc51f99a52 3afa167d6f
3 changed files with 104 additions and 20 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -1034,7 +1034,8 @@ TESTS += \
         sndrcv_relp_tls_certvalid.sh \
         sndrcv_relp_tls_prio.sh \
         relp_tls_certificate_not_found.sh \
-	 omrelp_wrong_authmode.sh
+	 omrelp_wrong_authmode.sh \
+	 imrelp-tls.sh
 endif # ENABLE_GNUTLS
 if HAVE_VALGRIND
 TESTS += \
@ -1698,6 +1699,7 @@ EXTRA_DIST= \
        sndrcv_relp_tls_certvalid.sh \
 	relp_tls_certificate_not_found.sh \
 	omrelp_wrong_authmode.sh \
+	imrelp-tls.sh \
 	sndrcv_relp_dflt_pt.sh \
 	sndrcv_udp.sh \
 	imudp_thread_hang.sh \
--- a/tests/imrelp-tls.sh
+++ b/tests/imrelp-tls.sh
@ -0,0 +1,36 @@
+#!/bin/bash
+# addd 2019-01-31 by PascalWithopf, released under ASL 2.0
+. ${srcdir:=.}/diag.sh init
+export NUMMESSAGES=1000
+do_skip=0
+generate_conf
+add_conf '
+module(load="../plugins/imrelp/.libs/imrelp")
+input(type="imrelp" port="'$TCPFLOOD_PORT'" tls="on"
+		tls.cacert="'$srcdir'/tls-certs/ca.pem"
+		tls.mycert="'$srcdir'/tls-certs/cert.pem"
+		tls.myprivkey="'$srcdir'/tls-certs/key.pem"
+		tls.authmode="certvalid"
+		tls.permittedpeer="rsyslog")
+
+template(name="outfmt" type="string" string="%msg:F,58:2%\n")
+:msg, contains, "msgnum:" action(type="omfile" template="outfmt"
+			         file=`echo $RSYSLOG_OUT_LOG`)
+'
+startup
+./tcpflood -Trelp-tls -acertvalid -p$TCPFLOOD_PORT -m$NUMMESSAGES -x "$srcdir/tls-certs/ca.pem" -z "$srcdir/tls-certs/key.pem" -Z "$srcdir/tls-certs/cert.pem" -Ersyslog 2> $RSYSLOG_DYNNAME.tcpflood
+if [ $? -eq 1 ]; then
+	cat $RSYSLOG_DYNNAME.tcpflood
+	if ! grep "could net set.*certvalid" < "$RSYSLOG_DYNNAME.tcpflood" ; then
+		printf "librelp too old, need to skip this test\n"
+		do_skip=1
+	fi
+fi
+	cat -n $RSYSLOG_DYNNAME.tcpflood
+shutdown_when_empty
+wait_shutdown
+if [ $do_skip -eq 1 ]; then
+	skip_test
+fi
+seq_check
+exit_test
--- a/tests/tcpflood.c
+++ b/tests/tcpflood.c
@ -47,7 +47,7 @@
 *      each inidividual line has the runtime of one test
 *      the last line has 0 in field 1, followed by numberRuns,TotalRuntime,
 *      Average,min,max
- * -T   transport to use. Currently supported: "udp", "tcp" (default), "tls" (tcp+tls), relp-plain
+ * -T   transport to use. Currently supported: "udp", "tcp" (default), "tls" (tcp+tls), relp-plain, relp-tls
 *      Note: UDP supports a single target port, only
 * -W	wait time between sending batches of messages, in microseconds (Default: 0)
 * -b   number of messages within a batch (default: 100,000,000 millions)
@ -57,6 +57,8 @@
 * -x	CA Cert File for verification (TLS Mode / OpenSSL only)
 * -z	private key file for TLS mode
 * -Z	cert (public key) file for TLS mode
+ * -a	Authentication Mode for relp-tls
+ * -E	Permitted Peer for relp-tls
 * -L	loglevel to use for GnuTLS troubleshooting (0-off to 10-all, 0 default)
 * -j	format message in json, parameter is JSON cookie
 * -O	Use octate-count framing
@ -197,6 +199,8 @@ static int numThrds = 1;	/* number of threads to use */
 static char *tlsCAFile = NULL;
 static char *tlsCertFile = NULL;
 static char *tlsKeyFile = NULL;
+static char *relpAuthMode = NULL;
+static char *relpPermittedPeer = NULL;
 static int tlsLogLevel = 0;
 static char *jsonCookie = NULL; /* if non-NULL, use JSON format with this cookie */
 static int octateCountFramed = 0;
@ -240,7 +244,7 @@ struct runstats {
 static int udpsock;			/* socket for sending in UDP mode */
 static struct sockaddr_in udpRcvr;	/* remote receiver in UDP mode */

-static enum { TP_UDP, TP_TCP, TP_TLS, TP_RELP_PLAIN } transport = TP_TCP;
+static enum { TP_UDP, TP_TCP, TP_TLS, TP_RELP_PLAIN, TP_RELP_TLS } transport = TP_TCP;

 /* forward definitions */
 static void initTLSSess(int);
@ -305,13 +309,40 @@ int openConn(int *fd, const int connIdx)
 	} else {
 		port = targetPort[0];
 	}
-	if(transport == TP_RELP_PLAIN) {
+	if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 		#ifdef ENABLE_RELP
 		relpRetVal relp_r;
 		relpClt_t *relpClt;
 		char relpPort[16];
 		snprintf(relpPort, sizeof(relpPort), "%d", port);
 		CHKRELP(relpEngineCltConstruct(pRelpEngine, &relpClt));
+		if(transport == TP_RELP_TLS) {
+			if(relpCltEnableTLS(relpClt) != RELP_RET_OK) {
+				fprintf(stderr, "error while enabling TLS for relp\n");
+				exit(1);
+			}
+			if(relpAuthMode != NULL && relpCltSetAuthMode(relpClt, relpAuthMode) != RELP_RET_OK) {
+				fprintf(stderr, "could not set Relp Authentication mode: %s\n", relpAuthMode);
+				exit(1);
+			}
+			if(tlsCAFile != NULL && relpCltSetCACert(relpClt, tlsCAFile) != RELP_RET_OK) {
+				fprintf(stderr, "could not set CA File: %s\n", tlsCAFile);
+				exit(1);
+			}
+			if(tlsCertFile != NULL && relpCltSetOwnCert(relpClt, tlsCertFile) != RELP_RET_OK) {
+				fprintf(stderr, "could not set Cert File: %s\n", tlsCertFile);
+				exit(1);
+			}
+			if(tlsKeyFile != NULL && relpCltSetPrivKey(relpClt, tlsKeyFile) != RELP_RET_OK) {
+				fprintf(stderr, "could not set Key File: %s\n", tlsKeyFile);
+				exit(1);
+			}
+			if(relpPermittedPeer != NULL && relpCltAddPermittedPeer(relpClt, relpPermittedPeer)
+					!= RELP_RET_OK) {
+				fprintf(stderr, "could not set Permitted Peer: %s\n", relpPermittedPeer);
+				exit(1);
+			}
+		}
 		relpCltArray[connIdx] = relpClt;
 		relp_r = relpCltConnect(relpCltArray[connIdx], 2,
 			(unsigned char*)relpPort, (unsigned char*)targetIP);
@ -374,7 +405,7 @@ int openConnections(void)
 #	endif
 	sockArray = calloc(numConnections, sizeof(int));
 	#ifdef ENABLE_RELP
-	if(transport == TP_RELP_PLAIN)
+	if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS)
 		relpCltArray = calloc(numConnections, sizeof(relpClt_t*));
 	#endif
 	for(i = 0 ; i < numConnections ; ++i) {
@ -394,7 +425,7 @@ int openConnections(void)
 					 * other functionality has a chance to do
 					 * at least something.
 					 */
-					if(transport == TP_RELP_PLAIN) {
+					if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 						#ifdef ENABLE_RELP
 						CHKRELP(relpEngineCltDestruct(pRelpEngine,
 							relpCltArray+i));
@ -454,7 +485,7 @@ void closeConnections(void)
 			lenMsg = sprintf(msgBuf, "\r%5.5d", i);
 			if(write(1, msgBuf, lenMsg)){}
 		}
-		if(transport == TP_RELP_PLAIN) {
+		if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 			#ifdef ENABLE_RELP
 			relpRetVal relpr;
 			if(sockArray[i] != -1) {
@ -659,7 +690,7 @@ int sendMessages(struct instdata *inst)
 				memcpy(sendBuf, buf, lenBuf);
 				offsSendBuf = lenBuf;
 			}
-		} else if(transport == TP_RELP_PLAIN) {
+		} else if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 			#ifdef ENABLE_RELP
 			relpRetVal relp_ret;
 			if(sockArray[socknum] == -1) {
@ -1440,7 +1471,7 @@ int main(int argc, char *argv[])

 	setvbuf(stdout, buf, _IONBF, 48);

-	while((opt = getopt(argc, argv, "b:ef:F:t:p:c:C:m:i:I:P:d:Dn:l:L:M:rsBR:S:T:x:XW:yYz:Z:j:Ov")) != -1) {
+	while((opt = getopt(argc, argv, "a:b:E:ef:F:t:c:C:m:i:I:P:p:d:Dn:l:L:M:rsBR:S:T:x:XW:yYz:Z:j:Ov")) != -1) {
 		switch (opt) {
 		case 'b':	batchsize = atoll(optarg);
 				break;
@ -1530,26 +1561,33 @@ int main(int argc, char *argv[])
 							"(add --enable-relp to ./configure options "
 							"if desired)\n");
 						exit(1);
+#					endif
+				} else if(!strcmp(optarg, "relp-tls")) {
+#					if defined(ENABLE_RELP)
+						transport = TP_RELP_TLS;
+#					else
+						fprintf(stderr, "compiled without RELP support: "
+							"\"-Trelp-tls\" not supported!\n"
+							"(add --enable-relp to ./configure options "
+							"if desired)\n");
+						exit(1);
 #					endif
 				} else {
 					fprintf(stderr, "unknown transport '%s'\n", optarg);
 					exit(1);
 				}
 				break;
+		case 'a':	relpAuthMode = optarg;
+				break;
+		case 'E':	relpPermittedPeer = optarg;
+				break;
 		case 'W':	waittime = atoi(optarg);
 				break;
 		case 'Y':	runMultithreaded = 1;
 				break;
 		case 'y':	useRFC5424Format = 1;
 				break;
-		case 'x':
-#			if defined(ENABLE_OPENSSL)
-				tlsCAFile = optarg;
-#			else
-				fprintf(stderr, "-x CAFile not supported in GnuTLS mode - ignored.\n"
-					"Note: we do NOT VERIFY the remote peer when compiled for GnuTLS.\n"
-					"When compiled for OpenSSL, we do.\n");
-#			endif
+		case 'x':	tlsCAFile = optarg;
 				break;
 		case 'z':	tlsKeyFile = optarg;
 				break;
@ -1570,6 +1608,14 @@ int main(int argc, char *argv[])
 		bSilent = 1;	/* auto-apply silent option during CI runs */
 	}

+	if(tlsCAFile != NULL && transport != TP_RELP_TLS) {
+		#if !defined(ENABLE_OPENSSL)
+			fprintf(stderr, "-x CAFile not supported in GnuTLS mode - ignored.\n"
+				"Note: we do NOT VERIFY the remote peer when compiled for GnuTLS.\n"
+				"When compiled for OpenSSL, we do.\n");
+		#endif
+	}
+
 	if(bStatsRecords && waittime) {
 		fprintf(stderr, "warning: generating performance stats and using a waittime "
 				"is somewhat contradictory!\n");
@ -1602,7 +1648,7 @@ int main(int argc, char *argv[])
 	}

 	if(tlsKeyFile != NULL || tlsCertFile != NULL) {
-		if(transport != TP_TLS) {
+		if(transport != TP_TLS && transport != TP_RELP_TLS) {
 			printf("error: TLS certificates were specified, but TLS is NOT enabled: "
 					"To enable TLS use parameter -Ttls\n");
 			exit(1);
@ -1616,7 +1662,7 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 		initTLS();
-	} else if(transport == TP_RELP_PLAIN) {
+	} else if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 		#ifdef ENABLE_RELP
 		initRELP_PLAIN();
 		#endif
@ -1635,7 +1681,7 @@ int main(int argc, char *argv[])
 	closeConnections(); /* this is important so that we do not finish too early! */

 	#ifdef ENABLE_RELP
-	if(transport == TP_RELP_PLAIN) {
+	if(transport == TP_RELP_PLAIN || transport == TP_RELP_TLS) {
 		CHKRELP(relpEngineDestruct(&pRelpEngine));
 	}
 	#endif