summaryrefslogtreecommitdiffstats
path: root/runtime
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-05-19 18:52:44 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-05-19 18:52:44 +0200
commit85b587f93d7f1294fae78317c0841a30aaa03583 (patch)
treefcfcf000d37b873cf385782fe8c411fb21f1b1c0 /runtime
parent48684ceac5d57f2c3bc9e8afce98d2026ab51958 (diff)
downloadrsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.gz
rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.xz
rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.zip
first implementation of TLS server client authentication check
The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers
Diffstat (limited to 'runtime')
-rw-r--r--runtime/net.c64
-rw-r--r--runtime/net.h19
-rw-r--r--runtime/netstrm.c12
-rw-r--r--runtime/netstrm.h2
-rw-r--r--runtime/netstrms.c51
-rw-r--r--runtime/netstrms.h9
-rw-r--r--runtime/nsd.h2
-rw-r--r--runtime/nsd_gtls.c55
-rw-r--r--runtime/nsd_gtls.h3
-rw-r--r--runtime/nsd_ptcp.c20
-rw-r--r--runtime/nsdsel_gtls.c9
-rw-r--r--runtime/rsyslog.h2
12 files changed, 209 insertions, 39 deletions
diff --git a/runtime/net.c b/runtime/net.c
index 7663b1b3..cbff1003 100644
--- a/runtime/net.c
+++ b/runtime/net.c
@@ -88,6 +88,68 @@ static struct AllowedSenders *pLastAllowedSenders_GSS = NULL;
int ACLAddHostnameOnFail = 0; /* add hostname to acl when DNS resolving has failed */
int ACLDontResolve = 0; /* add hostname to acl instead of resolving it to IP(s) */
+
+/* ------------------------------ begin permitted peers code ------------------------------ */
+
+
+/* add a permitted peer. PermittedPeers is an interim solution until we can provide
+ * access control via enhanced RainerScript methods.
+ * Note: the provided string is handed over to this function, caller must
+ * no longer access it. -- rgerhards, 2008-05-19
+ */
+static rsRetVal
+AddPermittedPeer(permittedPeers_t **ppRootPeer, uchar* pszID)
+{
+ permittedPeers_t *pNew = NULL;
+ DEFiRet;
+
+ assert(ppRootPeer != NULL);
+ assert(pszID != NULL);
+
+ CHKmalloc(pNew = malloc(sizeof(permittedPeers_t)));
+ CHKmalloc(pNew->pszID = (uchar*)strdup((char*)pszID));
+ pNew->pNext = NULL;
+
+ if(*ppRootPeer != NULL) {
+ pNew->pNext = *ppRootPeer;
+ }
+ *ppRootPeer = pNew;
+
+finalize_it:
+ if(iRet != RS_RET_OK) {
+ if(pNew != NULL)
+ free(pNew);
+ }
+ RETiRet;
+}
+
+
+/* Destruct a permitted peers list -- rgerhards, 2008-05-19 */
+static rsRetVal
+DestructPermittedPeers(permittedPeers_t **ppRootPeer)
+{
+ permittedPeers_t *pCurr;
+ permittedPeers_t *pDel;
+ DEFiRet;
+
+ assert(ppRootPeer != NULL);
+
+ for(pCurr = *ppRootPeer ; pCurr != NULL ; /*EMPTY*/) {
+ pDel = pCurr;
+ pCurr = pCurr->pNext;
+ free(pDel->pszID);
+ free(pDel);
+ }
+
+ *ppRootPeer = NULL;
+
+ RETiRet;
+}
+
+
+/* ------------------------------ end permitted peers code ------------------------------ */
+
+
/* Code for handling allowed/disallowed senders
*/
static inline void MaskIP6 (struct in6_addr *addr, uint8_t bits) {
@@ -1095,6 +1157,8 @@ CODESTARTobjQueryInterface(net)
pIf->isAllowedSender = isAllowedSender;
pIf->should_use_so_bsdcompat = should_use_so_bsdcompat;
pIf->getLocalHostname = getLocalHostname;
+ pIf->AddPermittedPeer = AddPermittedPeer;
+ pIf->DestructPermittedPeers = DestructPermittedPeers;
finalize_it:
ENDobjQueryInterface(net)
diff --git a/runtime/net.h b/runtime/net.h
index 9e471bf9..673f45a9 100644
--- a/runtime/net.h
+++ b/runtime/net.h
@@ -91,6 +91,20 @@ struct AllowedSenders {
};
+/* for fingerprints and hostnames, we need to have a temporary linked list of
+ * permitted values. Unforutnately, we must also duplicate this in the netstream
+ * drivers. However, this is the best interim solution (with the least effort).
+ * A clean implementation requires that we have more capable variables and the
+ * full-fledged scripting engine available. So we have opted to do the interim
+ * solution so that our users can begin to enjoy authenticated TLS. The next step
+ * (hopefully) is to enhance RainerScript. -- rgerhards, 2008-05-19
+ */
+struct permittedPeers_s {
+ uchar *pszID;
+ permittedPeers_t *pNext;
+};
+
+
/* interfaces */
BEGINinterface(net) /* name must also be changed in ENDinterface macro! */
rsRetVal (*cvthname)(struct sockaddr_storage *f, uchar *pszHost, uchar *pszHostFQDN, uchar *pszIP);
@@ -104,7 +118,10 @@ BEGINinterface(net) /* name must also be changed in ENDinterface macro! */
int (*isAllowedSender)(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost);
rsRetVal (*getLocalHostname)(uchar**);
int (*should_use_so_bsdcompat)(void);
- /* data memebers - these should go away over time... TODO */
+ /* permitted peer handling should be replaced by something better (see comments above) */
+ rsRetVal (*AddPermittedPeer)(permittedPeers_t **ppRootPeer, uchar *pszID);
+ rsRetVal (*DestructPermittedPeers)(permittedPeers_t **ppRootPeer);
+ /* data members - these should go away over time... TODO */
int *pACLAddHostnameOnFail; /* add hostname to acl when DNS resolving has failed */
int *pACLDontResolve; /* add hostname to acl instead of resolving it to IP(s) */
struct AllowedSenders *pAllowedSenders_UDP;
diff --git a/runtime/netstrm.c b/runtime/netstrm.c
index 899cb3bf..786ba7f8 100644
--- a/runtime/netstrm.c
+++ b/runtime/netstrm.c
@@ -43,6 +43,7 @@
#include <string.h>
#include "rsyslog.h"
+#include "net.h"
#include "module-template.h"
#include "obj.h"
#include "errmsg.h"
@@ -202,20 +203,21 @@ SetDrvrAuthMode(netstrm_t *pThis, uchar *mode)
}
-/* add an accepted fingerprint -- rgerhards, 2008-05-16
- */
+/* set the driver's permitted peers -- rgerhards, 2008-05-19 */
static rsRetVal
-AddDrvrPermittedFingerprint(netstrm_t *pThis, uchar *fingerprint)
+SetDrvrPermPeers(netstrm_t *pThis, permittedPeers_t *pPermPeers)
{
DEFiRet;
ISOBJ_TYPE_assert(pThis, netstrm);
- iRet = pThis->Drvr.AddPermFingerprint(pThis->pDrvrData, fingerprint);
+ iRet = pThis->Drvr.SetPermPeers(pThis->pDrvrData, pPermPeers);
RETiRet;
}
+
/* End of methods to shuffle autentication settings to the driver.
* -------------------------------------------------------------------------- */
+
/* send a buffer. On entry, pLenBuf contains the number of octets to
* write. On exit, it contains the number of octets actually written.
* If this number is lower than on entry, only a partial buffer has
@@ -311,7 +313,7 @@ CODESTARTobjQueryInterface(netstrm)
pIf->GetRemoteIP = GetRemoteIP;
pIf->SetDrvrMode = SetDrvrMode;
pIf->SetDrvrAuthMode = SetDrvrAuthMode;
- pIf->AddDrvrPermittedFingerprint = AddDrvrPermittedFingerprint;
+ pIf->SetDrvrPermPeers = SetDrvrPermPeers;
pIf->GetSock = GetSock;
finalize_it:
ENDobjQueryInterface(netstrm)
diff --git a/runtime/netstrm.h b/runtime/netstrm.h
index ffdb392e..ae135beb 100644
--- a/runtime/netstrm.h
+++ b/runtime/netstrm.h
@@ -51,7 +51,7 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
rsRetVal (*GetRemoteIP)(netstrm_t *pThis, uchar **pszIP);
rsRetVal (*SetDrvrMode)(netstrm_t *pThis, int iMode);
rsRetVal (*SetDrvrAuthMode)(netstrm_t *pThis, uchar*);
- rsRetVal (*AddDrvrPermittedFingerprint)(netstrm_t *pThis, uchar*);
+ rsRetVal (*SetDrvrPermPeers)(netstrm_t *pThis, permittedPeers_t*);
/* the GetSock() below is a hack to make imgssapi work. In the long term,
* we should migrate imgssapi to a stream driver, which will relieve us of
* this problem. Please note that nobody else should use GetSock(). Using it
diff --git a/runtime/netstrms.c b/runtime/netstrms.c
index 03a46329..3e5b7819 100644
--- a/runtime/netstrms.c
+++ b/runtime/netstrms.c
@@ -146,8 +146,53 @@ finalize_it:
}
-/* set the driver mode -- rgerhards, 2008-04-30
+/* set the driver's permitted peers -- rgerhards, 2008-05-19 */
+static rsRetVal
+SetDrvrPermPeers(netstrms_t *pThis, permittedPeers_t *pPermPeers)
+{
+ DEFiRet;
+ ISOBJ_TYPE_assert(pThis, netstrms);
+ pThis->pPermPeers = pPermPeers;
+ RETiRet;
+}
+/* return the driver's permitted peers
+ * We use non-standard calling conventions because it makes an awful lot
+ * of sense here.
+ * rgerhards, 2008-05-19
+ */
+static uchar*
+GetDrvrPermPeers(netstrms_t *pThis)
+{
+ ISOBJ_TYPE_assert(pThis, netstrms);
+ return pThis->pPermPeers;
+}
+
+
+/* set the driver auth mode -- rgerhards, 2008-05-19 */
+static rsRetVal
+SetDrvrAuthMode(netstrms_t *pThis, uchar *mode)
+{
+ DEFiRet;
+ ISOBJ_TYPE_assert(pThis, netstrms);
+RUNLOG_VAR("%s", mode);
+ CHKmalloc(pThis->pszDrvrAuthMode = (uchar*)strdup((char*)mode));
+finalize_it:
+ RETiRet;
+}
+/* return the driver auth mode
+ * We use non-standard calling conventions because it makes an awful lot
+ * of sense here.
+ * rgerhards, 2008-05-19
*/
+static uchar*
+GetDrvrAuthMode(netstrms_t *pThis)
+{
+ ISOBJ_TYPE_assert(pThis, netstrms);
+ return pThis->pszDrvrAuthMode;
+}
+
+
+/* set the driver mode -- rgerhards, 2008-04-30 */
static rsRetVal
SetDrvrMode(netstrms_t *pThis, int iMode)
{
@@ -221,6 +266,10 @@ CODESTARTobjQueryInterface(netstrms)
pIf->SetDrvrName = SetDrvrName;
pIf->SetDrvrMode = SetDrvrMode;
pIf->GetDrvrMode = GetDrvrMode;
+ pIf->SetDrvrAuthMode = SetDrvrAuthMode;
+ pIf->GetDrvrAuthMode = GetDrvrAuthMode;
+ pIf->SetDrvrPermPeers = SetDrvrPermPeers;
+ pIf->GetDrvrPermPeers = GetDrvrPermPeers;
finalize_it:
ENDobjQueryInterface(netstrms)
diff --git a/runtime/netstrms.h b/runtime/netstrms.h
index 1d1cc892..3f686af6 100644
--- a/runtime/netstrms.h
+++ b/runtime/netstrms.h
@@ -32,6 +32,9 @@ struct netstrms_s {
uchar *pBaseDrvrName; /**< nsd base driver name to use, or NULL if system default */
uchar *pDrvrName; /**< full base driver name (set when driver is loaded) */
int iDrvrMode; /**< current default driver mode */
+ uchar *pszDrvrAuthMode; /**< current driver authentication mode */
+ permittedPeers_t *pPermPeers;/**< current driver's permitted peers */
+
nsd_if_t Drvr; /**< our stream driver */
};
@@ -44,7 +47,11 @@ BEGINinterface(netstrms) /* name must also be changed in ENDinterface macro! */
rsRetVal (*CreateStrm)(netstrms_t *pThis, netstrm_t **ppStrm);
rsRetVal (*SetDrvrName)(netstrms_t *pThis, uchar *pszName);
rsRetVal (*SetDrvrMode)(netstrms_t *pThis, int iMode);
- int (*GetDrvrMode)(netstrms_t *pThis);
+ rsRetVal (*SetDrvrAuthMode)(netstrms_t *pThis, uchar*);
+ rsRetVal (*SetDrvrPermPeers)(netstrms_t *pThis, permittedPeers_t*);
+ int (*GetDrvrMode)(netstrms_t *pThis);
+ uchar* (*GetDrvrAuthMode)(netstrms_t *pThis);
+ permittedPeers_t* (*GetDrvrPermPeers)(netstrms_t *pThis);
ENDinterface(netstrms)
#define netstrmsCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */
diff --git a/runtime/nsd.h b/runtime/nsd.h
index 1dc9efe9..53693b59 100644
--- a/runtime/nsd.h
+++ b/runtime/nsd.h
@@ -52,7 +52,7 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
rsRetVal (*GetRemoteIP)(nsd_t *pThis, uchar **pszIP);
rsRetVal (*SetMode)(nsd_t *pThis, int mode); /* sets a driver specific mode - see driver doc for details */
rsRetVal (*SetAuthMode)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */
- rsRetVal (*AddPermFingerprint)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */
+ rsRetVal (*SetPermPeers)(nsd_t *pThis, permittedPeers_t*); /* sets driver permitted peers for auth needs */
rsRetVal (*GetSock)(nsd_t *pThis, int *pSock);
rsRetVal (*SetSock)(nsd_t *pThis, int sock);
/* GetSock() and SetSock() return an error if the driver does not use plain
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 4e7fa3b6..ff162754 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -39,6 +39,7 @@
#include "obj.h"
#include "stringbuf.h"
#include "errmsg.h"
+#include "net.h"
#include "nsd_ptcp.h"
#include "nsdsel_gtls.h"
#include "nsd_gtls.h"
@@ -252,7 +253,6 @@ finalize_it:
/* check the fingerprint of the remote peer's certificate.
* rgerhards, 2008-05-08
*/
-//static rsRetVal
rsRetVal
gtlsChkFingerprint(nsd_gtls_t *pThis)
{
@@ -264,6 +264,8 @@ gtlsChkFingerprint(nsd_gtls_t *pThis)
gnutls_x509_crt cert;
int bMustDeinitCert = 0;
int gnuRet;
+ int bFoundPositiveMatch;
+ permittedPeers_t *pPeer;
DEFiRet;
ISOBJ_TYPE_assert(pThis, nsd_gtls);
@@ -296,11 +298,23 @@ gtlsChkFingerprint(nsd_gtls_t *pThis)
if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT)
FINALIZE;
- if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) {
- dbgprintf("invalid server fingerprint, not permitted to talk to us\n");
+ /* now search through the permitted peers to see if we can find a permitted one */
+ bFoundPositiveMatch = 0;
+ pPeer = pThis->pPermPeers;
+ while(pPeer != NULL && !bFoundPositiveMatch) {
+ if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) {
+ bFoundPositiveMatch = 1;
+ } else {
+ pPeer = pPeer->pNext;
+ }
+ }
+
+ if(!bFoundPositiveMatch) {
+ dbgprintf("invalid peer fingerprint, not permitted to talk to it\n");
if(pThis->bReportAuthErr == 1) {
- errmsg.LogError(NO_ERRCODE, "error: server fingerprint '%s' unknown - we are "
- "not permitted to talk to this server", rsCStrGetSzStr(pstrFingerprint));
+ errno = 0;
+ errmsg.LogError(NO_ERRCODE, "error: peer fingerprint '%s' unknown - we are "
+ "not permitted to talk to it", rsCStrGetSzStr(pstrFingerprint));
pThis->bReportAuthErr = 0;
}
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
@@ -401,7 +415,6 @@ SetMode(nsd_t *pNsd, int mode)
DEFiRet;
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
-dbgprintf("SetMode tries to set mode %d\n", mode);
ISOBJ_TYPE_assert((pThis), nsd_gtls);
if(mode != 0 && mode != 1) {
errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by "
@@ -450,28 +463,26 @@ dbgprintf("gtls auth mode %d set\n", pThis->authMode);
}
-/* Add a permitted fingerprint. Only useful to call if we are using
- * fingerprint authentication. Results in error if we are not in this mode.
- * rgerhards, 2008-05-16
+/* Set permitted peers. It is depending on the auth mode if this are
+ * fingerprints or names. -- rgerhards, 2008-05-19
*/
static rsRetVal
-AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint)
+SetPermPeers(nsd_t *pNsd, permittedPeers_t *pPermPeers)
{
DEFiRet;
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
ISOBJ_TYPE_assert((pThis), nsd_gtls);
- if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) {
- errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by "
+ if(pPermPeers == NULL)
+ FINALIZE;
+
+ if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT && pThis->authMode != GTLS_AUTH_CERTNAME) {
+ errmsg.LogError(NO_ERRCODE, "authentication not supported by "
"gtls netstream driver in the configured authentication mode - ignored");
ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE);
}
- // TODO: proper handling - but we need to redo this when we do the
- // linked list. So for now, this is good enough (but MUST BE CHANGED!).
-
- pThis->authIDs = pszFingerprint;
-dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs);
+ pThis->pPermPeers = pPermPeers;
finalize_it:
RETiRet;
@@ -590,6 +601,8 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
/* if we reach this point, we are in TLS mode */
CHKiRet(gtlsInitSession(pNew));
gtlsSetTransportPtr(pNew, ((nsd_ptcp_t*) (pNew->pTcp))->sock);
+ pNew->authMode = pThis->authMode;
+ pNew->pPermPeers = pThis->pPermPeers;
/* we now do the handshake. This is a bit complicated, because we are
* on non-blocking sockets. Usually, the handshake will not complete
@@ -633,6 +646,9 @@ Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
ISOBJ_TYPE_assert(pThis, nsd_gtls);
+ if(pThis->bAbortConn)
+ ABORT_FINALIZE(RS_RET_CONNECTION_ABORTREQ);
+
if(pThis->iMode == 0) {
CHKiRet(nsd_ptcp.Rcv(pThis->pTcp, pBuf, pLenBuf));
FINALIZE;
@@ -667,6 +683,9 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
DEFiRet;
ISOBJ_TYPE_assert(pThis, nsd_gtls);
+ if(pThis->bAbortConn)
+ ABORT_FINALIZE(RS_RET_CONNECTION_ABORTREQ);
+
if(pThis->iMode == 0) {
CHKiRet(nsd_ptcp.Send(pThis->pTcp, pBuf, pLenBuf));
FINALIZE;
@@ -771,7 +790,7 @@ CODESTARTobjQueryInterface(nsd_gtls)
pIf->SetSock = SetSock;
pIf->SetMode = SetMode;
pIf->SetAuthMode = SetAuthMode;
- pIf->AddPermFingerprint = AddPermFingerprint;
+ pIf->SetPermPeers =SetPermPeers;
pIf->GetRemoteHName = GetRemoteHName;
pIf->GetRemoteIP = GetRemoteIP;
finalize_it:
diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h
index 0576a993..1f3eb6b1 100644
--- a/runtime/nsd_gtls.h
+++ b/runtime/nsd_gtls.h
@@ -38,6 +38,7 @@ struct nsd_gtls_s {
BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */
nsd_t *pTcp; /**< our aggregated nsd_ptcp data */
int iMode; /* 0 - plain tcp, 1 - TLS */
+ int bAbortConn; /* if set, abort conncection (fatal error had happened) */
enum {
GTLS_AUTH_CERTNAME = 0,
GTLS_AUTH_CERTFINGERPRINT = 1,
@@ -51,7 +52,7 @@ struct nsd_gtls_s {
int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is
* set to 1 and changed to 0 after the first report. It is changed back to 1 after
* one successful authentication. */
- uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */
+ permittedPeers_t *pPermPeers; /* permitted senders */
};
/* interface is defined in nsd.h, we just implement it! */
diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
index 6702e118..14c564a3 100644
--- a/runtime/nsd_ptcp.c
+++ b/runtime/nsd_ptcp.c
@@ -153,16 +153,22 @@ finalize_it:
}
-/* Add a permitted fingerprint. This is a dummy, always returning an
+/* Set the permitted peers. This is a dummy, always returning an
* error because we do not support fingerprint authentication.
* rgerhards, 2008-05-17
*/
static rsRetVal
-AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint)
+SetPermPeers(nsd_t __attribute__((unused)) *pNsd, permittedPeers_t __attribute__((unused)) *pPermPeers)
{
- errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by "
- "ptcp netstream driver");
- return RS_RET_VALUE_NOT_IN_THIS_MODE;
+ DEFiRet;
+
+ if(pPermPeers != NULL) {
+ errmsg.LogError(NO_ERRCODE, "authentication not supported by ptcp netstream driver");
+ ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE);
+ }
+
+finalize_it:
+ RETiRet;
}
@@ -477,6 +483,8 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
CHKiRet(pNS->Drvr.Construct(&pNewNsd));
CHKiRet(pNS->Drvr.SetSock(pNewNsd, sock));
CHKiRet(pNS->Drvr.SetMode(pNewNsd, netstrms.GetDrvrMode(pNS)));
+ CHKiRet(pNS->Drvr.SetAuthMode(pNewNsd, netstrms.GetDrvrAuthMode(pNS)));
+ CHKiRet(pNS->Drvr.SetPermPeers(pNewNsd, netstrms.GetDrvrPermPeers(pNS)));
CHKiRet(netstrms.CreateStrm(pNS, &pNewStrm));
pNewStrm->pDrvrData = (nsd_t*) pNewNsd;
CHKiRet(fAddLstn(pUsr, pNewStrm));
@@ -668,7 +676,7 @@ CODESTARTobjQueryInterface(nsd_ptcp)
pIf->SetSock = SetSock;
pIf->SetMode = SetMode;
pIf->SetAuthMode = SetAuthMode;
- pIf->AddPermFingerprint = AddPermFingerprint;
+ pIf->SetPermPeers = SetPermPeers;
pIf->Rcv = Rcv;
pIf->Send = Send;
pIf->LstnInit = LstnInit;
diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c
index e54693dc..082a044b 100644
--- a/runtime/nsdsel_gtls.c
+++ b/runtime/nsdsel_gtls.c
@@ -128,12 +128,10 @@ doRetry(nsd_gtls_t *pNsd)
switch(pNsd->rtryCall) {
case gtlsRtry_handshake:
gnuRet = gnutls_handshake(pNsd->sess);
- dbgprintf("handshake ret %d\n", gnuRet);
if(gnuRet == 0) {
+ pNsd->rtryCall = gtlsRtry_None; /* we are done */
/* we got a handshake, now check authorization */
- // TODO: do it!
- dbgprintf("handshake done\n");
- gtlsChkFingerprint(pNsd);
+ CHKiRet(gtlsChkFingerprint(pNsd));
}
break;
default:
@@ -157,6 +155,9 @@ doRetry(nsd_gtls_t *pNsd)
*/
finalize_it:
+ if(iRet != RS_RET_OK)
+ pNsd->bAbortConn = 1; /* request abort */
+RUNLOG_VAR("%d", pNsd->bAbortConn);
RETiRet;
}
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index fe26bb44..c06b01c3 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -81,6 +81,7 @@ typedef struct interface_s interface_t;
typedef struct objInfo_s objInfo_t;
typedef enum rsRetVal_ rsRetVal; /**< friendly type for global return value */
typedef rsRetVal (*errLogFunc_t)(uchar*); /* this is a trick to store a function ptr to a function returning a function ptr... */
+typedef struct permittedPeers_s permittedPeers_t; /* this should go away in the long term -- rgerhards, 2008-05-19 */
typedef struct tcpsrv_s tcpsrv_t;
/* some universal 64 bit define... */
@@ -227,6 +228,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_VALUE_NOT_SUPPORTED = -2086, /**< a provided value is not supported */
RS_RET_VALUE_NOT_IN_THIS_MODE = -2087, /**< a provided value is invalid for the curret mode */
RS_RET_INVALID_FINGERPRINT = -2088, /**< a fingerprint is not valid for this use case */
+ RS_RET_CONNECTION_ABORTREQ = -2089, /**< connection was abort requested due to previous error */
/* RainerScript error messages (range 1000.. 1999) */
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */