lib/fluent/plugin/output_node.rb in fluent-plugin-secure-forward-0.3.1 vs lib/fluent/plugin/output_node.rb in fluent-plugin-secure-forward-0.3.2
- old
+ new
@@ -128,20 +128,21 @@
# ['HELO', options(hash)]
unless message.size == 2 && message[0] == 'HELO'
return false
end
opts = message[1]
+ @shared_key_nonce = opts['nonce'] || '' # make shared_key_check failed (instead of error) if protocol version mismatch exist
@authentication = opts['auth']
@allow_keepalive = opts['keepalive']
true
end
def generate_ping
log.debug "generating ping"
- # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + shared_key),
+ # ['PING', self_hostname, sharedkey\_salt, sha512\_hex(sharedkey\_salt + self_hostname + nonce + shared_key),
# username || '', sha512\_hex(auth\_salt + username + password) || '']
- shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key).hexdigest
+ shared_key_hexdigest = Digest::SHA512.new.update(@shared_key_salt).update(@sender.self_hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
ping = ['PING', @sender.self_hostname, @shared_key_salt, shared_key_hexdigest]
if @authentication != ''
password_hexdigest = Digest::SHA512.new.update(@authentication).update(@username).update(@password).hexdigest
ping.push(@username, password_hexdigest)
else
@@ -151,11 +152,11 @@
end
def check_pong(message)
log.debug "checking pong"
# ['PONG', bool(authentication result), 'reason if authentication failed',
- # self_hostname, sha512\_hex(salt + self_hostname + sharedkey)]
+ # self_hostname, sha512\_hex(salt + self_hostname + nonce + sharedkey)]
unless message.size == 5 && message[0] == 'PONG'
return false, 'invalid format for PONG message'
end
pong, auth_result, reason, hostname, shared_key_hexdigest = message
@@ -165,11 +166,11 @@
if hostname == @sender.self_hostname
return false, 'same hostname between input and output: invalid configuration'
end
- clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key).hexdigest
+ clientside = Digest::SHA512.new.update(@shared_key_salt).update(hostname).update(@shared_key_nonce).update(@shared_key).hexdigest
unless shared_key_hexdigest == clientside
return false, 'shared key mismatch'
end
return true, nil
@@ -251,12 +252,12 @@
end
log.trace "set verify_mode VERIFY_PEER"
context.verify_mode = OpenSSL::SSL::VERIFY_PEER
if @sender.enable_strict_verification
- context.ca_store = OpenSSL::X509::Store.new
+ context.cert_store = OpenSSL::X509::Store.new
begin
- context.ca_store.set_default_paths
+ context.cert_store.set_default_paths
rescue OpenSSL::X509::StoreError => e
log.warn "faild to load system default certificates", error: e
end
end
if @sender.ca_cert_path