diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
| commit | 85b587f93d7f1294fae78317c0841a30aaa03583 (patch) | |
| tree | fcfcf000d37b873cf385782fe8c411fb21f1b1c0 /runtime/net.h | |
| parent | 48684ceac5d57f2c3bc9e8afce98d2026ab51958 (diff) | |
| download | rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.gz rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.xz rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.zip | |
first implementation of TLS server client authentication check
The TLS server now checks the client fingerprint. This works, but
is highly experimental. Needs to be refined for practice. Also:
- implemented permittedPeers helper construct to store names
- changed omfwd implementation to use new permittedPeers
Diffstat (limited to 'runtime/net.h')
| -rw-r--r-- | runtime/net.h | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/runtime/net.h b/runtime/net.h index 9e471bf9..673f45a9 100644 --- a/runtime/net.h +++ b/runtime/net.h @@ -91,6 +91,20 @@ struct AllowedSenders { }; +/* for fingerprints and hostnames, we need to have a temporary linked list of + * permitted values. Unforutnately, we must also duplicate this in the netstream + * drivers. However, this is the best interim solution (with the least effort). + * A clean implementation requires that we have more capable variables and the + * full-fledged scripting engine available. So we have opted to do the interim + * solution so that our users can begin to enjoy authenticated TLS. The next step + * (hopefully) is to enhance RainerScript. -- rgerhards, 2008-05-19 + */ +struct permittedPeers_s { + uchar *pszID; + permittedPeers_t *pNext; +}; + + /* interfaces */ BEGINinterface(net) /* name must also be changed in ENDinterface macro! */ rsRetVal (*cvthname)(struct sockaddr_storage *f, uchar *pszHost, uchar *pszHostFQDN, uchar *pszIP); @@ -104,7 +118,10 @@ BEGINinterface(net) /* name must also be changed in ENDinterface macro! */ int (*isAllowedSender)(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost); rsRetVal (*getLocalHostname)(uchar**); int (*should_use_so_bsdcompat)(void); - /* data memebers - these should go away over time... TODO */ + /* permitted peer handling should be replaced by something better (see comments above) */ + rsRetVal (*AddPermittedPeer)(permittedPeers_t **ppRootPeer, uchar *pszID); + rsRetVal (*DestructPermittedPeers)(permittedPeers_t **ppRootPeer); + /* data members - these should go away over time... TODO */ int *pACLAddHostnameOnFail; /* add hostname to acl when DNS resolving has failed */ int *pACLDontResolve; /* add hostname to acl instead of resolving it to IP(s) */ struct AllowedSenders *pAllowedSenders_UDP; |