From 6ea98ec5fff21c362e28a0121b78b8e6bb3b2528 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 16 May 2008 18:26:25 +0200 Subject: added first rough ability to authenticate the server against its certificate This is very experimental and needs some more work. It probably even segfaults - but the base code is there and running. The rest is refinement. While working on this, I did these two bugfixes: - bugfix: small mem leak in omfwd on exit (strmdriver name was not freed) - bugfix: $ActionSendStreamDriver had no effect --- runtime/netstrm.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'runtime/netstrm.c') diff --git a/runtime/netstrm.c b/runtime/netstrm.c index a1384a28..899cb3bf 100644 --- a/runtime/netstrm.c +++ b/runtime/netstrm.c @@ -172,6 +172,10 @@ Rcv(netstrm_t *pThis, uchar *pBuf, ssize_t *pLenBuf) RETiRet; } +/* here follows a number of methods that shuffle authentication settings down + * to the drivers. Drivers not supporting these settings may return an error + * state. + * -------------------------------------------------------------------------- */ /* set the driver mode * rgerhards, 2008-04-28 @@ -186,6 +190,32 @@ SetDrvrMode(netstrm_t *pThis, int iMode) } +/* set the driver authentication mode -- rgerhards, 2008-05-16 + */ +static rsRetVal +SetDrvrAuthMode(netstrm_t *pThis, uchar *mode) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrm); + iRet = pThis->Drvr.SetAuthMode(pThis->pDrvrData, mode); + RETiRet; +} + + +/* add an accepted fingerprint -- rgerhards, 2008-05-16 + */ +static rsRetVal +AddDrvrPermittedFingerprint(netstrm_t *pThis, uchar *fingerprint) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrm); + iRet = pThis->Drvr.AddPermFingerprint(pThis->pDrvrData, fingerprint); + RETiRet; +} + +/* End of methods to shuffle autentication settings to the driver. + * -------------------------------------------------------------------------- */ + /* send a buffer. On entry, pLenBuf contains the number of octets to * write. On exit, it contains the number of octets actually written. * If this number is lower than on entry, only a partial buffer has @@ -280,6 +310,8 @@ CODESTARTobjQueryInterface(netstrm) pIf->GetRemoteHName = GetRemoteHName; pIf->GetRemoteIP = GetRemoteIP; pIf->SetDrvrMode = SetDrvrMode; + pIf->SetDrvrAuthMode = SetDrvrAuthMode; + pIf->AddDrvrPermittedFingerprint = AddDrvrPermittedFingerprint; pIf->GetSock = GetSock; finalize_it: ENDobjQueryInterface(netstrm) -- cgit v1.2.3 From 85b587f93d7f1294fae78317c0841a30aaa03583 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 18:52:44 +0200 Subject: first implementation of TLS server client authentication check The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers --- runtime/netstrm.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'runtime/netstrm.c') diff --git a/runtime/netstrm.c b/runtime/netstrm.c index 899cb3bf..786ba7f8 100644 --- a/runtime/netstrm.c +++ b/runtime/netstrm.c @@ -43,6 +43,7 @@ #include #include "rsyslog.h" +#include "net.h" #include "module-template.h" #include "obj.h" #include "errmsg.h" @@ -202,20 +203,21 @@ SetDrvrAuthMode(netstrm_t *pThis, uchar *mode) } -/* add an accepted fingerprint -- rgerhards, 2008-05-16 - */ +/* set the driver's permitted peers -- rgerhards, 2008-05-19 */ static rsRetVal -AddDrvrPermittedFingerprint(netstrm_t *pThis, uchar *fingerprint) +SetDrvrPermPeers(netstrm_t *pThis, permittedPeers_t *pPermPeers) { DEFiRet; ISOBJ_TYPE_assert(pThis, netstrm); - iRet = pThis->Drvr.AddPermFingerprint(pThis->pDrvrData, fingerprint); + iRet = pThis->Drvr.SetPermPeers(pThis->pDrvrData, pPermPeers); RETiRet; } + /* End of methods to shuffle autentication settings to the driver. * -------------------------------------------------------------------------- */ + /* send a buffer. On entry, pLenBuf contains the number of octets to * write. On exit, it contains the number of octets actually written. * If this number is lower than on entry, only a partial buffer has @@ -311,7 +313,7 @@ CODESTARTobjQueryInterface(netstrm) pIf->GetRemoteIP = GetRemoteIP; pIf->SetDrvrMode = SetDrvrMode; pIf->SetDrvrAuthMode = SetDrvrAuthMode; - pIf->AddDrvrPermittedFingerprint = AddDrvrPermittedFingerprint; + pIf->SetDrvrPermPeers = SetDrvrPermPeers; pIf->GetSock = GetSock; finalize_it: ENDobjQueryInterface(netstrm) -- cgit v1.2.3