diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
| commit | 85b587f93d7f1294fae78317c0841a30aaa03583 (patch) | |
| tree | fcfcf000d37b873cf385782fe8c411fb21f1b1c0 /runtime/net.c | |
| parent | 48684ceac5d57f2c3bc9e8afce98d2026ab51958 (diff) | |
| download | rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.gz rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.bz2 rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.zip | |
first implementation of TLS server client authentication check
The TLS server now checks the client fingerprint. This works, but
is highly experimental. Needs to be refined for practice. Also:
- implemented permittedPeers helper construct to store names
- changed omfwd implementation to use new permittedPeers
Diffstat (limited to 'runtime/net.c')
| -rw-r--r-- | runtime/net.c | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/runtime/net.c b/runtime/net.c index 7663b1b3..cbff1003 100644 --- a/runtime/net.c +++ b/runtime/net.c @@ -88,6 +88,68 @@ static struct AllowedSenders *pLastAllowedSenders_GSS = NULL; int ACLAddHostnameOnFail = 0; /* add hostname to acl when DNS resolving has failed */ int ACLDontResolve = 0; /* add hostname to acl instead of resolving it to IP(s) */ + +/* ------------------------------ begin permitted peers code ------------------------------ */ + + +/* add a permitted peer. PermittedPeers is an interim solution until we can provide + * access control via enhanced RainerScript methods. + * Note: the provided string is handed over to this function, caller must + * no longer access it. -- rgerhards, 2008-05-19 + */ +static rsRetVal +AddPermittedPeer(permittedPeers_t **ppRootPeer, uchar* pszID) +{ + permittedPeers_t *pNew = NULL; + DEFiRet; + + assert(ppRootPeer != NULL); + assert(pszID != NULL); + + CHKmalloc(pNew = malloc(sizeof(permittedPeers_t))); + CHKmalloc(pNew->pszID = (uchar*)strdup((char*)pszID)); + pNew->pNext = NULL; + + if(*ppRootPeer != NULL) { + pNew->pNext = *ppRootPeer; + } + *ppRootPeer = pNew; + +finalize_it: + if(iRet != RS_RET_OK) { + if(pNew != NULL) + free(pNew); + } + RETiRet; +} + + +/* Destruct a permitted peers list -- rgerhards, 2008-05-19 */ +static rsRetVal +DestructPermittedPeers(permittedPeers_t **ppRootPeer) +{ + permittedPeers_t *pCurr; + permittedPeers_t *pDel; + DEFiRet; + + assert(ppRootPeer != NULL); + + for(pCurr = *ppRootPeer ; pCurr != NULL ; /*EMPTY*/) { + pDel = pCurr; + pCurr = pCurr->pNext; + free(pDel->pszID); + free(pDel); + } + + *ppRootPeer = NULL; + + RETiRet; +} + + +/* ------------------------------ end permitted peers code ------------------------------ */ + + /* Code for handling allowed/disallowed senders */ static inline void MaskIP6 (struct in6_addr *addr, uint8_t bits) { @@ -1095,6 +1157,8 @@ CODESTARTobjQueryInterface(net) pIf->isAllowedSender = isAllowedSender; pIf->should_use_so_bsdcompat = should_use_so_bsdcompat; pIf->getLocalHostname = getLocalHostname; + pIf->AddPermittedPeer = AddPermittedPeer; + pIf->DestructPermittedPeers = DestructPermittedPeers; finalize_it: ENDobjQueryInterface(net) |