summaryrefslogtreecommitdiffstats
path: root/runtime
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-05-15 16:58:25 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-05-15 16:58:25 +0200
commitffa17a25d2c2098d4977d377cbf20d0136fea820 (patch)
treea9ab3a1ab92ac29cbacaa00c28e9d3cc5eae59ca /runtime
parentd594f83a893a517328f55b0b0b3240c4073efb89 (diff)
downloadrsyslog-ffa17a25d2c2098d4977d377cbf20d0136fea820.tar.gz
rsyslog-ffa17a25d2c2098d4977d377cbf20d0136fea820.tar.xz
rsyslog-ffa17a25d2c2098d4977d377cbf20d0136fea820.zip
client provides x.509 and server prints fingerprint
Diffstat (limited to 'runtime')
-rw-r--r--runtime/nsd_gtls.c37
-rw-r--r--runtime/nsdsel_gtls.c3
2 files changed, 34 insertions, 6 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 03ceba7b..3edaf68f 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -120,6 +120,31 @@ uchar *gtlsStrerror(int error)
}
+/* add our own certificate to the certificate set, so that the peer
+ * can identify us. Please note that we try to use mutual authentication,
+ * so we always add a cert, even if we are in the client role (later,
+ * this may be controlled by a config setting).
+ * rgerhards, 2008-05-15
+ */
+static rsRetVal
+gtlsAddOurCert(void)
+{
+ int gnuRet;
+ uchar *keyFile;
+ uchar *certFile;
+ DEFiRet;
+
+ certFile = glbl.GetDfltNetstrmDrvrCertFile();
+ keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
+ dbgprintf("GTLS certificate file: '%s'\n", certFile);
+ dbgprintf("GTLS key file: '%s'\n", keyFile);
+ CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM));
+
+finalize_it:
+ RETiRet;
+}
+
+
/* globally initialize GnuTLS */
static rsRetVal
gtlsGlblInit(void)
@@ -210,11 +235,7 @@ gtlsGlblInitLstn(void)
* considered legacy. -- rgerhards, 2008-05-05
*/
/*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/
- certFile = glbl.GetDfltNetstrmDrvrCertFile();
- keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
- dbgprintf("GTLS certificate file: '%s'\n", certFile);
- dbgprintf("GTLS key file: '%s'\n", keyFile);
- CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM));
+ //CHKiRet(gtlsAddOurCert());
CHKiRet(generate_dh_params());
gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
bGlblSrvrInitDone = 1; /* we are all set now */
@@ -228,7 +249,8 @@ finalize_it:
/* check the fingerprint of the remote peer's certificate.
* rgerhards, 2008-05-08
*/
-static rsRetVal
+//static rsRetVal
+rsRetVal
gtlsChkFingerprint(nsd_gtls_t *pThis)
{
cstr_t *pstrFingerprint = NULL;
@@ -270,6 +292,7 @@ gtlsChkFingerprint(nsd_gtls_t *pThis)
finalize_it:
+dbgprintf("exit fingerprint check, iRet %d\n", iRet);
if(pstrFingerprint != NULL)
rsCStrDestruct(&pstrFingerprint);
if(bMustDeinitCert)
@@ -333,6 +356,8 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock)
/* Standard-Constructor */
BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
iRet = nsd_ptcp.Construct(&pThis->pTcp);
+CHKiRet(gtlsAddOurCert());
+finalize_it:
ENDobjConstruct(nsd_gtls)
diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
index 1ee4b46c..f8889a48 100644
--- a/runtime/nsdsel_gtls.c
+++ b/runtime/nsdsel_gtls.c
@@ -128,9 +128,12 @@ doRetry(nsd_gtls_t *pNsd)
switch(pNsd->rtryCall) {
case gtlsRtry_handshake:
gnuRet = gnutls_handshake(pNsd->sess);
+ dbgprintf("handshake ret %d\n", gnuRet);
if(gnuRet == 0) {
/* we got a handshake, now check authorization */
// TODO: do it!
+ dbgprintf("handshake done\n");
+ gtlsChkFingerprint(pNsd);
}
break;
default: