From 6ea98ec5fff21c362e28a0121b78b8e6bb3b2528 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 16 May 2008 18:26:25 +0200 Subject: added first rough ability to authenticate the server against its certificate This is very experimental and needs some more work. It probably even segfaults - but the base code is there and running. The rest is refinement. While working on this, I did these two bugfixes: - bugfix: small mem leak in omfwd on exit (strmdriver name was not freed) - bugfix: $ActionSendStreamDriver had no effect --- runtime/rsyslog.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'runtime/rsyslog.h') diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 367a239f..088a14db 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -224,6 +224,9 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ RS_RET_TLS_NO_CERT = -2085, /**< no TLS certificate available where one was expected */ + RS_RET_VALUE_NOT_SUPPORTED = -2086, /**< a provided value is not supported */ + RS_RET_VALUE_NOT_IN_THIS_MODE = -2087, /**< a provided value is invalid for the curret mode */ + RS_RET_INVALID_FINGERPRINT = -2088, /**< a fingerprint is not valid for this use case */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ -- cgit v1.2.3 From 48684ceac5d57f2c3bc9e8afce98d2026ab51958 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 09:43:37 +0200 Subject: improved error messages and corrected fingerprint format --- runtime/rsyslog.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'runtime/rsyslog.h') diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 088a14db..fe26bb44 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -219,7 +219,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_GNUTLS_ERR = -2078, /**< (unexpected) error in GnuTLS call */ RS_RET_MAX_SESS_REACHED = -2079, /**< max nbr of sessions reached, can not create more */ RS_RET_MAX_LSTN_REACHED = -2080, /**< max nbr of listeners reached, can not create more */ - RS_RET_INVAID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ + RS_RET_INVALID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ RS_RET_DRVRNAME_TOO_LONG = -2082, /**< driver name too long - should never happen */ RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ -- cgit v1.2.3 From 85b587f93d7f1294fae78317c0841a30aaa03583 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 18:52:44 +0200 Subject: first implementation of TLS server client authentication check The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers --- runtime/rsyslog.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'runtime/rsyslog.h') diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index fe26bb44..c06b01c3 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -81,6 +81,7 @@ typedef struct interface_s interface_t; typedef struct objInfo_s objInfo_t; typedef enum rsRetVal_ rsRetVal; /**< friendly type for global return value */ typedef rsRetVal (*errLogFunc_t)(uchar*); /* this is a trick to store a function ptr to a function returning a function ptr... */ +typedef struct permittedPeers_s permittedPeers_t; /* this should go away in the long term -- rgerhards, 2008-05-19 */ typedef struct tcpsrv_s tcpsrv_t; /* some universal 64 bit define... */ @@ -227,6 +228,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_VALUE_NOT_SUPPORTED = -2086, /**< a provided value is not supported */ RS_RET_VALUE_NOT_IN_THIS_MODE = -2087, /**< a provided value is invalid for the curret mode */ RS_RET_INVALID_FINGERPRINT = -2088, /**< a fingerprint is not valid for this use case */ + RS_RET_CONNECTION_ABORTREQ = -2089, /**< connection was abort requested due to previous error */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ -- cgit v1.2.3