added first rough ability to authenticate the server against its certificate

This is very experimental and needs some more work. It probably even
segfaults - but the base code is there and running. The rest is
refinement.

While working on this, I did these two bugfixes:
- bugfix: small mem leak in omfwd on exit (strmdriver name was not freed)
- bugfix: $ActionSendStreamDriver had no effect

1 files changed, 6 insertions, 0 deletions

diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h
index bbb0eb9e..885a8b30 100644
--- a/runtime/nsd_gtls.h
+++ b/runtime/nsd_gtls.h
@@ -38,11 +38,17 @@ struct nsd_gtls_s {
 	BEGINobjInstance;	/* Data to implement generic object - MUST be the first data element! */
 	nsd_t *pTcp;		/**< our aggregated nsd_ptcp data */
 	int iMode;		/* 0 - plain tcp, 1 - TLS */
+	enum { 
+		GTLS_AUTH_CERTNAME = 0,
+		GTLS_AUTH_CERTFINGERPRINT = 1,
+		GTLS_AUTH_CERTANON = 2
+	} authMode;
 	gtlsRtryCall_t rtryCall;/**< what must we retry? */
 	int bIsInitiator;	/**< 0 if socket is the server end (listener), 1 if it is the initiator */
 	gnutls_session sess;
 	int bHaveSess;		/* as we don't know exactly which gnutls_session values are invalid, we use this one
 				   to flag whether or not we are in a session (same as -1 for a socket meaning no sess) */
+	uchar *authIDs;	/* TODO: make linked list, currently just a single fingerprint, must also support names */
 };
 
 /* interface is defined in nsd.h, we just implement it! */