From edf41396efc9bcbbc333651771df49d3ec68cb4d Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sat, 17 May 2008 11:19:12 +0200 Subject: regained netstream driver genericity; improved drivers - made action logic pass optional auth params only if they are actually configured - added new authMode and Fingerprint methods to ptcp netstream driver (keeping them once again generic) - added diagnostics messages when invalid auth modes were configured --- runtime/nsd_gtls.c | 9 ++++++--- runtime/nsd_ptcp.c | 41 +++++++++++++++++++++++++++++++++++++++++ tools/omfwd.c | 12 +++++++++--- 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 131a3679..df458ea3 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -416,7 +416,6 @@ SetAuthMode(nsd_t *pNsd, uchar *mode) nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert((pThis), nsd_gtls); -RUNLOG_VAR("%s", mode); if(mode == NULL || !strcasecmp((char*)mode, "x509/name")) { pThis->authMode = GTLS_AUTH_CERTNAME; } else if(!strcasecmp((char*) mode, "x509/fingerprint")) { @@ -424,7 +423,8 @@ RUNLOG_VAR("%s", mode); } else if(!strcasecmp((char*) mode, "anon")) { pThis->authMode = GTLS_AUTH_CERTANON; } else { - // TODO: logerror()? + errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + "gtls netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -447,8 +447,11 @@ AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert((pThis), nsd_gtls); - if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) { + errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + "gtls netstream driver in the configured authentication mode - ignored"); ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); + } // TODO: proper handling - but we need to redo this when we do the // linked list. So for now, this is good enough (but MUST BE CHANGED!). diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index c5480a05..ae835aed 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -126,6 +126,45 @@ finalize_it: } +/* Set the authentication mode. For us, the following is supported: + * anon - no certificate checks whatsoever (discouraged, but supported) + * mode == NULL is valid and defaults to anon + * Actually, we do not even record the mode right now, because we can + * always work in anon mode, only. So there is no point in recording + * something if that's the only choice. What the function does is + * return an error if something is requested that we can not support. + * rgerhards, 2008-05-17 + */ +static rsRetVal +SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) +{ + DEFiRet; + if(mode != NULL && strcasecmp((char*)mode, "anon")) { + errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); + } + +finalize_it: + RETiRet; +} + + +/* Add a permitted fingerprint. This is a dummy, always returning an + * error because we do not support fingerprint authentication. + * rgerhards, 2008-05-17 + */ +static rsRetVal +AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) +{ + errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + "ptcp netstream driver - ignored"); + return RS_RET_VALUE_NOT_IN_THIS_MODE; +} + + + + /* Provide access to the underlying OS socket. This is primarily * useful for other drivers (like nsd_gtls) who utilize ourselfs * for some of their functionality. @@ -625,6 +664,8 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->GetSock = GetSock; pIf->SetSock = SetSock; pIf->SetMode = SetMode; + pIf->SetAuthMode = SetAuthMode; + pIf->AddPermFingerprint = AddPermFingerprint; pIf->Rcv = Rcv; pIf->Send = Send; pIf->LstnInit = LstnInit; diff --git a/tools/omfwd.c b/tools/omfwd.c index e0b6db01..43f601e3 100644 --- a/tools/omfwd.c +++ b/tools/omfwd.c @@ -277,9 +277,15 @@ static rsRetVal TCPSendInit(void *pvData) CHKiRet(netstrms.CreateStrm(pData->pNS, &pData->pNetstrm)); CHKiRet(netstrm.ConstructFinalize(pData->pNetstrm)); CHKiRet(netstrm.SetDrvrMode(pData->pNetstrm, pData->iStrmDrvrMode)); - CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); - CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, - pData->pszStrmDrvrFingerprint)); + /* now set optional params, but only if they were actually configured */ + if(pData->pszStrmDrvrAuthMode != NULL) { + CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); + } + if(pData->pszStrmDrvrFingerprint != NULL) { + CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, + pData->pszStrmDrvrFingerprint)); + } + /* params set, now connect */ CHKiRet(netstrm.Connect(pData->pNetstrm, glbl.GetDefPFFamily(), (uchar*)pData->port, (uchar*)pData->f_hname)); } -- cgit