From edf41396efc9bcbbc333651771df49d3ec68cb4d Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sat, 17 May 2008 11:19:12 +0200 Subject: regained netstream driver genericity; improved drivers - made action logic pass optional auth params only if they are actually configured - added new authMode and Fingerprint methods to ptcp netstream driver (keeping them once again generic) - added diagnostics messages when invalid auth modes were configured --- runtime/nsd_ptcp.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'runtime/nsd_ptcp.c') diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index c5480a05..ae835aed 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -126,6 +126,45 @@ finalize_it: } +/* Set the authentication mode. For us, the following is supported: + * anon - no certificate checks whatsoever (discouraged, but supported) + * mode == NULL is valid and defaults to anon + * Actually, we do not even record the mode right now, because we can + * always work in anon mode, only. So there is no point in recording + * something if that's the only choice. What the function does is + * return an error if something is requested that we can not support. + * rgerhards, 2008-05-17 + */ +static rsRetVal +SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) +{ + DEFiRet; + if(mode != NULL && strcasecmp((char*)mode, "anon")) { + errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); + } + +finalize_it: + RETiRet; +} + + +/* Add a permitted fingerprint. This is a dummy, always returning an + * error because we do not support fingerprint authentication. + * rgerhards, 2008-05-17 + */ +static rsRetVal +AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) +{ + errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + "ptcp netstream driver - ignored"); + return RS_RET_VALUE_NOT_IN_THIS_MODE; +} + + + + /* Provide access to the underlying OS socket. This is primarily * useful for other drivers (like nsd_gtls) who utilize ourselfs * for some of their functionality. @@ -625,6 +664,8 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->GetSock = GetSock; pIf->SetSock = SetSock; pIf->SetMode = SetMode; + pIf->SetAuthMode = SetAuthMode; + pIf->AddPermFingerprint = AddPermFingerprint; pIf->Rcv = Rcv; pIf->Send = Send; pIf->LstnInit = LstnInit; -- cgit From 48684ceac5d57f2c3bc9e8afce98d2026ab51958 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 09:43:37 +0200 Subject: improved error messages and corrected fingerprint format --- runtime/nsd_ptcp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'runtime/nsd_ptcp.c') diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index ae835aed..6702e118 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -119,8 +119,11 @@ static rsRetVal SetMode(nsd_t __attribute__((unused)) *pNsd, int mode) { DEFiRet; - if(mode != 0) - ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE); + if(mode != 0) { + errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE); + } finalize_it: RETiRet; } @@ -140,7 +143,7 @@ SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) { DEFiRet; if(mode != NULL && strcasecmp((char*)mode, "anon")) { - errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by " "ptcp netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -158,7 +161,7 @@ static rsRetVal AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) { errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " - "ptcp netstream driver - ignored"); + "ptcp netstream driver"); return RS_RET_VALUE_NOT_IN_THIS_MODE; } -- cgit From 85b587f93d7f1294fae78317c0841a30aaa03583 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 18:52:44 +0200 Subject: first implementation of TLS server client authentication check The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers --- runtime/nsd_ptcp.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'runtime/nsd_ptcp.c') diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index 6702e118..14c564a3 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -153,16 +153,22 @@ finalize_it: } -/* Add a permitted fingerprint. This is a dummy, always returning an +/* Set the permitted peers. This is a dummy, always returning an * error because we do not support fingerprint authentication. * rgerhards, 2008-05-17 */ static rsRetVal -AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) +SetPermPeers(nsd_t __attribute__((unused)) *pNsd, permittedPeers_t __attribute__((unused)) *pPermPeers) { - errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " - "ptcp netstream driver"); - return RS_RET_VALUE_NOT_IN_THIS_MODE; + DEFiRet; + + if(pPermPeers != NULL) { + errmsg.LogError(NO_ERRCODE, "authentication not supported by ptcp netstream driver"); + ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); + } + +finalize_it: + RETiRet; } @@ -477,6 +483,8 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), CHKiRet(pNS->Drvr.Construct(&pNewNsd)); CHKiRet(pNS->Drvr.SetSock(pNewNsd, sock)); CHKiRet(pNS->Drvr.SetMode(pNewNsd, netstrms.GetDrvrMode(pNS))); + CHKiRet(pNS->Drvr.SetAuthMode(pNewNsd, netstrms.GetDrvrAuthMode(pNS))); + CHKiRet(pNS->Drvr.SetPermPeers(pNewNsd, netstrms.GetDrvrPermPeers(pNS))); CHKiRet(netstrms.CreateStrm(pNS, &pNewStrm)); pNewStrm->pDrvrData = (nsd_t*) pNewNsd; CHKiRet(fAddLstn(pUsr, pNewStrm)); @@ -668,7 +676,7 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->SetSock = SetSock; pIf->SetMode = SetMode; pIf->SetAuthMode = SetAuthMode; - pIf->AddPermFingerprint = AddPermFingerprint; + pIf->SetPermPeers = SetPermPeers; pIf->Rcv = Rcv; pIf->Send = Send; pIf->LstnInit = LstnInit; -- cgit