rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-19 22:00:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

gnutls driver: support intermediate certificates

Browse Source 
this is necessary for certificate chains

closes https://github.com/rsyslog/rsyslog/issues/2762
This commit is contained in:
Arne Nordmark 2018-06-07 14:46:25 +02:00 committed by Rainer Gerhards
parent 29926740f3
commit ec9c22df6e
2 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
runtime/nsd_gtls.c
View File

@ -182,6 +182,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
gnutls_datum_t data = { NULL, 0 };
uchar *keyFile;
uchar *certFile;
int lenRcvd;
ISOBJ_TYPE_assert(pThis, nsd_gtls);
@ -201,9 +202,12 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
/* try load certificate */
CHKiRet(readFile(certFile, &data));
CHKgnutls(gnutls_x509_crt_init(&pThis->ourCert));
pThis->nOurCerts=sizeof(pThis->pOurCerts);
lenRcvd=gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts, &data, GNUTLS_X509_FMT_PEM,0);
if (lenRcvd<0) {
CHKgnutls(lenRcvd);
}
pThis->bOurCertIsInit = 1;
CHKgnutls(gnutls_x509_crt_import(pThis->ourCert, &data, GNUTLS_X509_FMT_PEM));
free(data.data);
data.data = NULL;
@ -219,7 +223,9 @@ finalize_it:
if(data.data != NULL)
free(data.data);
if(pThis->bOurCertIsInit) {
gnutls_x509_crt_deinit(pThis->ourCert);
for (int i=0; i<pThis->nOurCerts; ++i) {
gnutls_x509_crt_deinit(pThis->pOurCerts[i]);
}
pThis->bOurCertIsInit = 0;
}
if(pThis->bOurKeyIsInit) {
@ -264,8 +270,8 @@ gtlsClientCertCallback(gnutls_session_t session,
#else
st->type = GNUTLS_CRT_X509;
#endif
st->ncerts = 1;
st->cert.x509 = &pThis->ourCert;
st->ncerts = pThis->nOurCerts;
st->cert.x509 = pThis->pOurCerts;
st->key.x509 = pThis->ourKey;
st->deinit_all = 0;
@ -1219,7 +1225,9 @@ CODESTARTobjDestruct(nsd_gtls)
}
if(pThis->bOurCertIsInit)
gnutls_x509_crt_deinit(pThis->ourCert);
for (int i=0; i<pThis->nOurCerts; ++i) {
gnutls_x509_crt_deinit(pThis->pOurCerts[i]);
}
if(pThis->bOurKeyIsInit)
gnutls_x509_privkey_deinit(pThis->ourKey);
if(pThis->bHaveSess)

4
runtime/nsd_gtls.h
View File

@ -25,6 +25,7 @@
#include "nsd.h"
#define NSD_GTLS_MAX_RCVBUF 8 * 1024 /* max size of buffer for message reception */
#define NSD_GTLS_MAX_CERT 10 /* max number of certs in our chain */
typedef enum {
gtlsRtry_None = 0, /**< no call needs to be retried */
@ -60,7 +61,8 @@ struct nsd_gtls_s {
* one successful authentication. */
permittedPeers_t *pPermPeers; /* permitted peers */
uchar *gnutlsPriorityString; /* gnutls priority string */
gnutls_x509_crt_t ourCert; /**< our certificate, if in client mode (unused in server mode) */
gnutls_x509_crt_t pOurCerts[NSD_GTLS_MAX_CERT]; /**< our certificate, if in client mode (unused in server mode) */
unsigned int nOurCerts; /* number of certificates in our chain */
gnutls_x509_privkey_t ourKey; /**< our private key, if in client mode (unused in server mode) */
short bOurCertIsInit; /**< 1 if our certificate is initialized and must be deinit on destruction */
short bOurKeyIsInit; /**< 1 if our private key is initialized and must be deinit on destruction */