From 029ec0890f4fa6cfd601cfca724b9cc5b33d9054 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Fri, 11 Nov 2022 00:54:26 +0000 Subject: [PATCH 1/2] update JAR dependencies --- build.gradle | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/build.gradle b/build.gradle index bcda498..6b0544d 100644 --- a/build.gradle +++ b/build.gradle @@ -43,7 +43,7 @@ repositories { dependencies { testImplementation 'org.apache.logging.log4j:log4j-core:2.17.1' - implementation 'io.netty:netty-all:4.1.65.Final' + implementation 'io.netty:netty-all:4.1.68.Final' implementation group: 'commons-io', name: 'commons-io', version: '2.8.0' // used from Netty compileOnly 'org.apache.logging.log4j:log4j-api:2.17.1' // provided by Logstash compileOnly group: 'org.jruby', name: 'jruby-complete', version: "9.1.13.0" // provided by Logstash @@ -57,9 +57,12 @@ task generateGemJarRequiresFile { jars_file.newWriter().withWriter { w -> w << "# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.\n\n" w << "require \'jar_dependencies\'\n" - configurations.runtimeClasspath.allDependencies.each { - w << "require_jar(\'${it.group}\', \'${it.name}\', \'${it.version}\')\n" - } + configurations.runtimeClasspath.resolvedConfiguration.resolvedArtifacts + .collect {it.owner} + .sort { it.group } + .each { + w << "require_jar(\'${it.group}\', \'${it.name}\', \'${it.version}\')\n" + } w << "\nrequire_jar(\'${project.group}\', \'${project.name}\', \'${project.version}\')\n" } } @@ -68,8 +71,9 @@ task generateGemJarRequiresFile { task vendor { doLast { String vendorPathPrefix = "vendor/jar-dependencies" - configurations.runtimeClasspath.allDependencies.each { dep -> - File f = configurations.runtimeClasspath.filter { it.absolutePath.contains("${dep.group}/${dep.name}/${dep.version}") }.singleFile + configurations.runtimeClasspath.resolvedConfiguration.resolvedArtifacts.each { artifact -> + ModuleVersionIdentifier dep = artifact.owner + File f = artifact.file String groupPath = dep.group.replaceAll('\\.', '/') File newJarFile = file("${vendorPathPrefix}/${groupPath}/${dep.name}/${dep.version}/${dep.name}-${dep.version}.jar") newJarFile.mkdirs() From 4674de2b7295ed46f097af2efc368714cb336192 Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Fri, 11 Nov 2022 01:43:24 +0000 Subject: [PATCH 2/2] fix: provide ssl engine with advisory peer and algorithm info --- CHANGELOG.md | 3 +++ Rakefile | 5 +++-- spec/inputs/tcp_spec.rb | 2 +- spec/spec_helper.rb | 5 +++-- src/main/java/org/logstash/tcp/InputLoop.java | 21 ++++++++++++++++++- version | 2 +- 6 files changed, 31 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33882d4..90e2270 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 6.3.2 + - Fix: provide SSL engine with advisory peer and algorithm information [207](https://github.com/logstash-plugins/logstash-input-tcp/issues/207) + ## 6.3.1 - Fixes a regression in which the ssl_subject was missing for SSL-secured connections in server mode [#199](https://github.com/logstash-plugins/logstash-input-tcp/pull/199) diff --git a/Rakefile b/Rakefile index 2eee159..a278a02 100644 --- a/Rakefile +++ b/Rakefile @@ -6,10 +6,11 @@ end task :vendor => :install_jars +Rake::Task["test"].clear task :test do require 'rspec' require 'rspec/core/runner' Rake::Task[:install_jars].invoke - sh './gradlew test' - exit(RSpec::Core::Runner.run(Rake::FileList['spec/**/*_spec.rb'])) + sh(%{./gradlew test}) { |ok,res| exit(res) unless ok } + exit(RSpec::Core::Runner.run(%w(--format documentation).concat(Rake::FileList['spec/**/*_spec.rb']))) end diff --git a/spec/inputs/tcp_spec.rb b/spec/inputs/tcp_spec.rb index 388175b..0db43ba 100644 --- a/spec/inputs/tcp_spec.rb +++ b/spec/inputs/tcp_spec.rb @@ -90,7 +90,7 @@ def get_port aggregate_failures("event #{i}") do expect(event.get("message")).to eq("#{i} ☹") expect(event.get(ecs_select[disabled: "host", v1: "[@metadata][input][tcp][source][name]"])).to eq("localhost").or eq("ip6-localhost") - expect(event.get(ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][tcp][source][ip]"])).to eq('127.0.0.1') + expect(event.get(ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][tcp][source][ip]"])).to eq('127.0.0.1').or eq("0:0:0:0:0:0:0:1") end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 7dcdba0..853acad 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -91,7 +91,7 @@ def build_certificate(root_ca, root_key, name, password=nil) key = ( root_key.nil? ? OpenSSL::PKey::RSA.new(2048) : root_key ) options = { :serial => 2, :subject => "/DC=org/DC=ruby-lang/CN=Ruby#{name}", :key => key, :issuer => root_ca.subject} cert = new_certificate(options) - add_ca_extensions(cert, nil, root_ca) + add_ca_extensions(cert, nil, root_ca, %w(IP:127.0.0.1 IP:0:0:0:0:0:0:0:1)) if password key_text = key.to_pem(OpenSSL::Cipher::AES256.new(:CFB), password) [ cert.sign(key, OpenSSL::Digest::SHA256.new), key, key_text ] @@ -120,7 +120,7 @@ def new_certificate(options) cert end - def add_ca_extensions(certificate, subject=nil, issuer=nil) + def add_ca_extensions(certificate, subject=nil, issuer=nil, san_list=[]) factory = OpenSSL::X509::ExtensionFactory.new factory.subject_certificate = (subject.nil? ? certificate : subject) factory.issuer_certificate = (issuer.nil? ? certificate : issuer) @@ -129,6 +129,7 @@ def add_ca_extensions(certificate, subject=nil, issuer=nil) certificate.add_extension(factory.create_extension("keyUsage","keyCertSign, cRLSign, digitalSignature", true)) certificate.add_extension(factory.create_extension("subjectKeyIdentifier","hash",false)) certificate.add_extension(factory.create_extension("authorityKeyIdentifier","keyid:always",false)) + certificate.add_extension(factory.create_extension('subjectAltName', san_list.join(','))) unless san_list.empty? end end diff --git a/src/main/java/org/logstash/tcp/InputLoop.java b/src/main/java/org/logstash/tcp/InputLoop.java index 8229517..764b375 100644 --- a/src/main/java/org/logstash/tcp/InputLoop.java +++ b/src/main/java/org/logstash/tcp/InputLoop.java @@ -12,11 +12,14 @@ import io.netty.channel.socket.SocketChannel; import io.netty.channel.socket.nio.NioServerSocketChannel; import io.netty.handler.ssl.SslContext; +import io.netty.handler.ssl.SslHandler; import io.netty.util.concurrent.Future; import io.netty.util.concurrent.GenericFutureListener; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; import java.io.Closeable; import java.io.IOException; import java.net.InetSocketAddress; @@ -134,7 +137,7 @@ protected void initChannel(final SocketChannel channel) throws Exception { // if SSL is enabled, the SSL handler must be added to the pipeline first if (sslContext != null) { - channel.pipeline().addLast(SSL_HANDLER, sslContext.newHandler(channel.alloc())); + channel.pipeline().addLast(SSL_HANDLER, newSslHandler(channel)); } channel.pipeline().addLast(new DecoderAdapter(localCopy, logger)); @@ -145,6 +148,22 @@ protected void initChannel(final SocketChannel channel) throws Exception { } } + private SslHandler newSslHandler(final SocketChannel socketChannel) { + final InetSocketAddress remoteAddress = socketChannel.remoteAddress(); + final String peerHost = remoteAddress.getHostString(); + final int peerPort = remoteAddress.getPort(); + final SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), peerHost, peerPort); + + final SSLEngine engine = sslHandler.engine(); + engine.setUseClientMode(false); + + final SSLParameters sslParameters = engine.getSSLParameters(); + sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + engine.setSSLParameters(sslParameters); + + return sslHandler; + } + @Override public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception { logger.error("Error in Netty input handler: " + cause); diff --git a/version b/version index dc0208a..91e4a9f 100644 --- a/version +++ b/version @@ -1 +1 @@ -6.3.1 +6.3.2