diff options
| author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
|---|---|---|
| committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-05-19 18:52:44 +0200 |
| commit | 85b587f93d7f1294fae78317c0841a30aaa03583 (patch) | |
| tree | fcfcf000d37b873cf385782fe8c411fb21f1b1c0 /tools | |
| parent | 48684ceac5d57f2c3bc9e8afce98d2026ab51958 (diff) | |
| download | rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.gz rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.tar.xz rsyslog-85b587f93d7f1294fae78317c0841a30aaa03583.zip | |
first implementation of TLS server client authentication check
The TLS server now checks the client fingerprint. This works, but
is highly experimental. Needs to be refined for practice. Also:
- implemented permittedPeers helper construct to store names
- changed omfwd implementation to use new permittedPeers
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/omfwd.c | 50 |
1 files changed, 35 insertions, 15 deletions
diff --git a/tools/omfwd.c b/tools/omfwd.c index 43f601e3..a902fe3b 100644 --- a/tools/omfwd.c +++ b/tools/omfwd.c @@ -79,7 +79,8 @@ typedef struct _instanceData { netstrm_t *pNetstrm; /* our output netstream */ uchar *pszStrmDrvr; uchar *pszStrmDrvrAuthMode; - uchar *pszStrmDrvrFingerprint; + permittedPeers_t *pPermPeersRootFingerprint; + permittedPeers_t *pPermPeersRootNames; int iStrmDrvrMode; char *f_hname; int *pSockArray; /* sockets to use for UDP */ @@ -98,9 +99,10 @@ typedef struct _instanceData { static uchar *pszTplName = NULL; /* name of the default template to use */ static uchar *pszStrmDrvr = NULL; /* name of the stream driver to use */ static int iStrmDrvrMode = 0; /* mode for stream driver, driver-dependent (0 mostly means plain tcp) */ -static uchar *pszStrmDrvrAuthMode = NULL; /* name of the default template to use */ -static uchar *pszStrmDrvrFingerprint = NULL; /* name of the default template to use */ +static uchar *pszStrmDrvrAuthMode = NULL; /* authentication mode to use */ +static permittedPeers_t *pPermPeersRootFingerprint = NULL; +static permittedPeers_t *pPermPeersRootNames = NULL; /* get the syslog forward port from selector_t. The passed in * struct must be one that is setup for forwarding. @@ -154,8 +156,10 @@ CODESTARTfreeInstance free(pData->pszStrmDrvr); if(pData->pszStrmDrvrAuthMode != NULL) free(pData->pszStrmDrvrAuthMode); - if(pData->pszStrmDrvrFingerprint != NULL) - free(pData->pszStrmDrvrFingerprint); + if(pData->pPermPeersRootFingerprint != NULL) + net.DestructPermittedPeers(&pData->pPermPeersRootFingerprint); + if(pData->pPermPeersRootNames != NULL) + net.DestructPermittedPeers(&pData->pPermPeersRootNames); ENDfreeInstance @@ -212,6 +216,19 @@ static rsRetVal UDPSend(instanceData *pData, char *msg, size_t len) } +/* set the cert fingerprint -- rgerhards, 2008-05-19 + */ +static rsRetVal +setFingerprint(void __attribute__((unused)) *pVal, uchar *pszID) +{ + DEFiRet; + CHKiRet(net.AddPermittedPeer(&pPermPeersRootFingerprint, pszID)); +finalize_it: + RETiRet; +} + + + /* CODE FOR SENDING TCP MESSAGES */ @@ -281,9 +298,8 @@ static rsRetVal TCPSendInit(void *pvData) if(pData->pszStrmDrvrAuthMode != NULL) { CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); } - if(pData->pszStrmDrvrFingerprint != NULL) { - CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, - pData->pszStrmDrvrFingerprint)); + if(pData->pPermPeersRootFingerprint != NULL) { + CHKiRet(netstrm.SetDrvrPermPeers(pData->pNetstrm, pData->pPermPeersRootFingerprint)); } /* params set, now connect */ CHKiRet(netstrm.Connect(pData->pNetstrm, glbl.GetDefPFFamily(), @@ -590,9 +606,14 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1) if(pszStrmDrvrAuthMode != NULL) CHKmalloc(pData->pszStrmDrvrAuthMode = (uchar*)strdup((char*)pszStrmDrvrAuthMode)); - if(pszStrmDrvrFingerprint != NULL) - CHKmalloc(pData->pszStrmDrvrFingerprint = - (uchar*)strdup((char*)pszStrmDrvrFingerprint)); + if(pPermPeersRootFingerprint != NULL) { + pData->pPermPeersRootFingerprint = pPermPeersRootFingerprint; + pPermPeersRootFingerprint = NULL; + } + if(pPermPeersRootNames != NULL) { + pData->pPermPeersRootNames = pPermPeersRootNames; + pPermPeersRootNames = NULL; + } } CODE_STD_FINALIZERparseSelectorAct @@ -617,9 +638,8 @@ freeConfigVars(void) free(pszStrmDrvrAuthMode); pszStrmDrvrAuthMode = NULL; } - if(pszStrmDrvrFingerprint != NULL) { - free(pszStrmDrvrFingerprint); - pszStrmDrvrFingerprint = NULL; + if(pPermPeersRootFingerprint != NULL) { + free(pPermPeersRootFingerprint); } } @@ -670,7 +690,7 @@ CODEmodInit_QueryRegCFSLineHdlr CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriver", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvr, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivermode", 0, eCmdHdlrInt, NULL, &iStrmDrvrMode, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriverauthmode", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrAuthMode, NULL)); - CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivercertfingerprint", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrFingerprint, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivercertfingerprint", 0, eCmdHdlrGetWord, setFingerprint, NULL, NULL)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit |