lib/fluent/plugin/output_node.rb in fluent-plugin-secure-forward-0.3.1 vs lib/fluent/plugin/output_node.rb in fluent-plugin-secure-forward-0.3.2

- old
+ new

@@ -128,20 +128,21 @@ # ['HELO', options(hash)] unless message.size == 2 && message[0] == 'HELO' return false end opts = message[1] + @shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist @authentication = opts['auth'] @allow_keepalive = opts['keepalive'] true end def generate_ping log.debug "generating ping" - # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key), + # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + nonce + shared_key), # username || '', sha512\_hex(auth\_salt + username + password) || ''] - shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest + shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key_nonce).update(@shared_key).hexdigest ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest] if @authentication != '' password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest ping.push(@username, password_hexdigest) else @@ -151,11 +152,11 @@ end def check_pong(message) log.debug "checking pong" # ['PONG', bool(authentication result), 'reason if authentication failed', - # self_hostname, sha512\_hex(salt + self_hostname + sharedkey)] + # self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)] unless message.size == 5 && message[0] == 'PONG' return false, 'invalid format for PONG message' end pong, auth_result, reason, hostname, shared_key_hexdigest = message @@ -165,11 +166,11 @@ if hostname == @sender.self_hostname return false, 'same hostname between input and output: invalid configuration' end - clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest + clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key_nonce).update(@shared_key).hexdigest unless shared_key_hexdigest == clientside return false, 'shared key mismatch' end return true, nil @@ -251,12 +252,12 @@ end log.trace "set verify_mode VERIFY_PEER" context.verify_mode = OpenSSL::SSL::VERIFY_PEER if @sender.enable_strict_verification - context.ca_store = OpenSSL::X509::Store.new + context.cert_store = OpenSSL::X509::Store.new begin - context.ca_store.set_default_paths + context.cert_store.set_default_paths rescue OpenSSL::X509::StoreError => e log.warn "faild to load system default certificates", error: e end end if @sender.ca_cert_path