Update to 1.6.0

Makefile.am

@@ -296,12 +296,13 @@ spotless: distclean
 ##
 #
 
-
+if HAVE_YAJL
 TESTS += tests/test-json
 check_PROGRAMS += tests/test-json
 tests_test_json_SOURCES = tests/test-json.c
 tests_test_json_LDADD = axa/libaxa.la ${libnmsg_LIBS} ${check_LIBS}
 tests_test_json_CFLAGS = ${AM_CFLAGS} ${libnmsg_CFLAGS} ${check_CFLAGS} ${libssl_CFLAGS}
+endif
 
 TESTS += tests/test-apikey
 check_PROGRAMS += tests/test-apikey

axa/client_config.h

@@ -53,9 +53,13 @@ void axa_unload_client_config(void);
 /**
  *  Load client config.
  *
+ *  \param[out] emsg error message if something went wrong
  *  \param[in] config_file0 canonical name of config file
+ *
+ *  \retval true if file was successfully opened and parsed
+ *  \retval false if there was an error, emsg will contain the reason
  */
-void axa_load_client_config(const char *config_file0);
+bool axa_load_client_config(axa_emsg_t *emsg, const char *config_file0);
 
 /**
  *  Check for a connection alias.

axa/open_nmsg_out.h

@@ -32,7 +32,8 @@
 #include <nmsg.h>
 
 /**
- *  Open an output NMSG stream for output or forwarding by sratunnel or sratool.
+ *  Open an output nmsg stream for output or forwarding by sratunnel or
+ *  sratool. Note that all nmsg output objects are unbuffered.
  *
  *  \param[out] emsg if something goes wrong, this will contain the reason
  *  \param[out] out_nmsg_output nmsg_output_t of the newly opened NMSG

axa/wire.h

@@ -547,6 +547,8 @@ extern bool axa_tls_parse(axa_emsg_t *emsg,
 			  char **cert_filep, char **key_filep, char **addr,
 			  const char *spec);
 
+extern bool axa_apikey_load_and_check_key(axa_emsg_t *emsg,
+			  const char *key_file, const char *cert_file);
 /* Internal functions */
 extern axa_io_result_t axa_tls_start(axa_emsg_t *emsg, axa_io_t *io);
 extern axa_io_result_t axa_apikey_start(axa_emsg_t *emsg, axa_io_t *io);

axalib/client.c

@@ -410,7 +410,7 @@ axa_client_open(axa_emsg_t *emsg, axa_client_t *client, const char *addr,
 	p = strpbrk(addr, AXA_WHITESPACE":");
 	if (p == NULL) {
 		axa_pemsg(emsg,
-			"invalid AXA transport protocol or alias \"%s\"",
+			"missing AXA transport delimiter in \"%s\"",
 			addr);
 		axa_client_backoff_max(client);
 		return (AXA_CONNECT_ERR);

axalib/client_config.c

@@ -17,6 +17,7 @@
  */
 
 #include <config.h>
+#include <axa/axa.h>
 #include <axa/client_config.h>
 
 #include <stdlib.h>
@@ -114,15 +115,17 @@ _config_entry_parse(const char *line0)
 /*
  * Read AXA client config file.
  */
-void
-axa_load_client_config(const char *config_file0)
+bool
+axa_load_client_config(axa_emsg_t *emsg, const char *config_file0)
 {
 	FILE *f;
 	char line_buf[1024], *p, *config_file;
 	uint line_num;
 	size_t line_buf_size;
 	const char *line0;
+	bool retval;
 
+	retval = true;
 	axa_unload_client_config();
 
 	/*
@@ -142,23 +145,24 @@ axa_load_client_config(const char *config_file0)
 		}
 	}
 	if (f == NULL) {
-		axa_error_msg("cannot open \"%s\": %s",
+		axa_pemsg(emsg, "cannot open \"%s\": %s",
 			      config_file, strerror(errno));
 		free(config_file);
-		return;
+		return (false);
 	}
 
 	/* alias section */
 	if (regcomp(&alias_re, alias_re_s, REG_EXTENDED | REG_NOSUB) != 0) {
-		axa_error_msg("invalid alias regex \"%s\"", alias_re_s);
+		axa_pemsg(emsg, "invalid alias regex \"%s\"", alias_re_s);
+		retval = false;
 		goto done;
 	}
 
 	p = line_buf;
 	line_buf_size = sizeof(line_buf);
 	line_num = 0;
-	/* Parse config file, line by line. A parsing error will throw an
-	 * error message and control will continue to the next line. */
+	/* Parse config file, line by line. A parsing error will generate an
+	 * error message and quit the parser. */
 	for (;;) {
 		line0 = axa_fgetln(f, config_file, &line_num, &p,
 				&line_buf_size);
@@ -168,16 +172,19 @@ axa_load_client_config(const char *config_file0)
 		}
 
 		if (_config_entry_parse(line0) == false) {
-			axa_error_msg("invalid \"%s\" in line %d of"
+			axa_pemsg(emsg, "invalid \"%s\" in line %d of"
 					"\"%s\"", line0, line_num,
 					config_file);
-			continue;
+			retval = false;
+			goto done;
 		}
 	}
 done:
 	regfree(&alias_re);
 	free(config_file);
 	fclose(f);
+
+	return (retval);
 }
 
 const char *

axalib/open_nmsg_out.c

@@ -119,5 +119,8 @@ axa_open_nmsg_out(axa_emsg_t *emsg,
 		}
 	}
 
+	/* unbuffer all nmsg outputs */
+	nmsg_output_set_buffered(*out_nmsg_output, false);
+
 	return (1);
 }

axalib/tls.c

@@ -32,7 +32,7 @@
 
 static char *certs_dir = NULL;
 
-static char cipher_list0[] = TLS_CIPHERS;
+static char cipher_list0[] = "ALL";
 static char *cipher_list = cipher_list0;
 
 /* All apikey related TLS data and functions are in the 'axa_apikey_'
@@ -44,6 +44,7 @@ static bool apikey_initialized = false;
 static bool tls_srvr = false;
 static bool apikey_srvr = false;
 static bool tls_threaded = false;
+static bool apikey_threaded = false;
 static bool tls_cleaned = false;
 static bool apikey_cleaned = false;
 static pthread_t init_id;
@@ -495,15 +496,15 @@ axa_apikey_init(axa_emsg_t *emsg, bool srvr, bool threaded)
 
 	if (apikey_initialized) {
 		/* Require consistency. */
-		AXA_ASSERT(apikey_srvr == srvr && tls_threaded == threaded);
+		AXA_ASSERT(apikey_srvr == srvr && apikey_threaded == threaded);
 
 		/*
 		 * Check that every initialization is just as threaded.
 		 * No harm is done by using pthread_self() in unthreaded
 		 * callers of this, because libaxa uses libnmsg which uses
 		 * pthreads.
 		 */
-		if (!tls_threaded)
+		if (!apikey_threaded)
 			AXA_ASSERT(pthread_self() == apikey_init_id);
 
 		AXA_ASSERT(__sync_sub_and_fetch(&init_critical, 1) == 0);
@@ -512,7 +513,7 @@ axa_apikey_init(axa_emsg_t *emsg, bool srvr, bool threaded)
 
 	apikey_initialized = true;
 	apikey_srvr = srvr;
-	tls_threaded = threaded;
+	apikey_threaded = threaded;
 	apikey_init_id = pthread_self();
 
 	SSL_library_init();
@@ -525,7 +526,7 @@ axa_apikey_init(axa_emsg_t *emsg, bool srvr, bool threaded)
 	/*
 	 * Turn on OpenSSL threading if needed.
 	 */
-	if (tls_threaded) {
+	if (apikey_threaded) {
 		/* static locks */
 		CRYPTO_set_id_callback(id_function);
 		num_locks = CRYPTO_num_locks();
@@ -1033,6 +1034,44 @@ axa_tls_start(axa_emsg_t *emsg, axa_io_t *io)
 	return (AXA_IO_OK);
 }
 
+bool
+axa_apikey_load_and_check_key(axa_emsg_t *emsg, const char *key_file,
+		const char *cert_file) {
+	/* Apparently the following functions are either not
+	 * thread-safe or not idempotent, or both. Calling
+	 * them for each new apikey session appeared to race
+	 * with other threads and resulted in spurious crashes
+	 * when apikey sessions would arrive "concurrently".
+	 *
+	 * The solution appears to be calling them once when
+	 * the first apikey session shows up. This should be called after
+	 * axa_apikey_init() successfully completes.
+	 */
+	if (!apikey_srvr)
+		return (false);
+
+	if (0 >= SSL_CTX_use_PrivateKey_file(apikey_ssl_ctx, key_file,
+				SSL_FILETYPE_PEM)) {
+		q_pemsg(emsg, "SSL_use_PrivateKey_file(%s)", key_file);
+		return (false);
+	}
+
+	if (0 >= SSL_CTX_use_certificate_chain_file(apikey_ssl_ctx,
+				cert_file)) {
+		q_pemsg(emsg, "SSL_CTX_use_certificate_chain_file(%s)",
+				cert_file);
+		return (false);
+	}
+
+	if (0 >= SSL_CTX_check_private_key(apikey_ssl_ctx)) {
+		q_pemsg(emsg, "SSL_check_private_key(%s %s)", cert_file,
+				key_file);
+		return (false);
+	}
+
+	return (true);
+}
+
 /* Initialize per-connection OpenSSL data and complete the TLS handshake. */
 axa_io_result_t
 axa_apikey_start(axa_emsg_t *emsg, axa_io_t *io)
@@ -1051,30 +1090,6 @@ axa_apikey_start(axa_emsg_t *emsg, axa_io_t *io)
 
 		ERR_clear_error();
 
-		if (apikey_srvr) {
-			if (0 >= SSL_CTX_use_PrivateKey_file(apikey_ssl_ctx,
-						io->key_file,
-						SSL_FILETYPE_PEM)) {
-				q_pemsg(emsg, "SSL_use_PrivateKey_file(%s)",
-					io->key_file);
-				return (AXA_IO_ERR);
-			}
-
-			if (0 >= SSL_CTX_use_certificate_chain_file(
-						apikey_ssl_ctx,
-						io->cert_file)) {
-				q_pemsg(emsg,
-				"SSL_CTX_use_certificate_chain_file(%s)",
-				io->cert_file);
-				return (AXA_IO_ERR);
-			}
-
-			if (0 >= SSL_CTX_check_private_key(apikey_ssl_ctx)) {
-				q_pemsg(emsg, "SSL_check_private_key(%s %s)",
-					io->cert_file, io->key_file);
-				return (AXA_IO_ERR);
-			}
-		}
 		io->ssl = SSL_new(apikey_ssl_ctx);
 		if (io->ssl == NULL) {
 			q_pemsg(emsg, "SSL_new()");

axalib/wire.c

@@ -1699,7 +1699,20 @@ axa_io_close(axa_io_t *io)
 {
 	int wstatus;
 
-	axa_tls_stop(io);
+	switch (io->type) {
+		case AXA_IO_TYPE_APIKEY:
+			axa_apikey_stop(io);
+			break;
+		case AXA_IO_TYPE_TLS:
+			axa_tls_stop(io);
+			break;
+		case AXA_IO_TYPE_UNIX:
+		case AXA_IO_TYPE_UNKN:
+		case AXA_IO_TYPE_SSH:
+		case AXA_IO_TYPE_TCP:
+		default:
+			break;
+	}
 
 	if (io->i_fd >= 0 && io->i_fd != io->o_fd)
 		ck_close(io->i_fd, "io->i_fd");

configure.ac

@@ -1,5 +1,5 @@
 AC_PREREQ(2.60)
-AC_INIT([axa], [1.5.1])
+AC_INIT([axa], [1.6.0])
 PACKAGE_DESCRIPTION="Farsight Security Advanced Exchange Access (AXA)"
 AC_SUBST(PACKAGE_DESCRIPTION)
 AC_CONFIG_SRCDIR([axa/axa.h])
@@ -76,6 +76,7 @@ if test "x$with_yajl" != "xno"; then
 else
 	use_yajl="false"
 fi
+AM_CONDITIONAL([HAVE_YAJL], [test "$use_yajl" = "true"])
 
 PKG_CHECK_MODULES([check], [check >= 0.10.0],
 		[CHECK_MOD_MSG="yes"], [CHECK_MOD_MSG="no"])
@@ -127,12 +128,6 @@ AC_CONFIG_FILES([cert_tools/axa_make_cert],
 AC_CONFIG_FILES([cert_tools/axa_server_cert],
 		[chmod +x cert_tools/axa_server_cert])
 
-AC_ARG_WITH([ciphers],
-AS_HELP_STRING([--with-ciphers=list], [TLS cipher list]),
-[TLS_CIPHERS="$withval"],[TLS_CIPHERS="ALL"])
-AC_DEFINE_UNQUOTED(TLS_CIPHERS,"$TLS_CIPHERS",[TLS cipher list])
-
-
 AC_OUTPUT
 AC_MSG_RESULT([
     $PACKAGE $VERSION
@@ -150,7 +145,6 @@ AC_MSG_RESULT([
 
         building html docs:     ${DOC_HTML_MSG}
 
-	TLS ciphers:		$TLS_CIPHERS
 	yajl support:           ${use_yajl}
 	make check available:   ${CHECK_MOD_MSG}
 ])

debian/changelog

@@ -1,3 +1,18 @@
+axa (1.6.0-1) unstable; urgency=low
+
+  * Fix make check Clang compiler warnings
+  * Fix small bugs in apikey transport
+  * Fix sratool/radtool command completion bug
+  * Fix sratool/radtool overzealous help bug
+  * Fix `make check` when building without yajl
+  * Add axa_apikey_load_and_check_key()
+  * Update README (additional examples)
+  * Remove configure option to select compile-time list of available ciphers
+  * Make config file errors emitted according to axa_debug level
+  * Make nmsg file and udp output objects unbuffered
+
+ -- Farsight Security, Inc. <software@farsightsecurity.com>  Thu, 29 Jun 2017 18:10:44 +0000
+
 axa (1.5.1-1) unstable; urgency=low
 
   * Fix Clang compiler warnings