[Syslog-ng-commit] syslog-ng--mainline: added TLS support for
incoming TCP connections
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 25 09:59:42 CEST 2006
Link: <http://intra.balabit/cgi-bin/viewarch.cgi/devel@balabit.hu--other-1/syslog-ng--mainline--2.1--patch-2>
Revision: syslog-ng--mainline--2.1--patch-2
Archive: devel at balabit.hu--other-1
Creator: Balazs Scheidler <bazsi at balabit.hu>
Date: Wed Oct 25 09:59:41 CEST 2006
Standard-date: 2006-10-25 07:59:41 GMT
New-files: src/.arch-ids/tlsread.c.id
src/.arch-ids/tlsread.h.id src/tlsread.c src/tlsread.h
Modified-files: src/Makefile.am src/afsocket.c
src/cfg-grammar.y src/cfg-lex.l src/fdread.c src/fdread.h
src/fdwrite.c src/fdwrite.h src/tlscontext.c
src/tlswrite.c
New-patches: devel at balabit.hu--other-1/syslog-ng--mainline--2.1--patch-2
Summary: added TLS support for incoming TCP connections
Keywords:
* src/afsocket.c (afsocket_sc_init): use TLSRead instance to fetch
messages if self->tls_context is set,
(afsocket_sd_set_tls_context): new function, called by the config
parser to set a TLS context,
* src/cfg-grammar.y (source_afinet_tcp_option): removed
never-implemented crypt/auth/mac keywords, added TLS specific
parsing code
* src/cfg-lex.l: removed keywords for required/allow/deny
* src/fdread.c (fd_read_free): use a function pointer to actually
free the FDRead instance, moved the bulk of fd_read_free to a static function,
(fd_read_free_method): the bulk of the task of freeing FDRead is moved here
* src/fdwrite.c (fd_write_free_method): removed static qualifier
* src/tlscontext.c (tls_context_setup_session): added CA
verification setup code, initial handshake is now performed as a
non-blocking operation during normal read/write, thus we need to
call set_connect_state() and/or set_accept_state()
* src/tlswrite.c (tls_write_write_method): removed the call to
SSL_connect(), nonblocking handshake is performed instead, making
the code much simpler,
(tls_write_new): initialize cond to (G_IO_IN | G_IO_OUT) as the SSL
handshake will define the exact I/O order, and it is possible that
the client reads first (which is not the case, but let's leave that
possibility delegated to libssl)
* src/tlsread.c: new file, implements SSL wrapped reading
Diff stats:
Makefile.am | 2 +-
afsocket.c | 12 +++++++++++-
cfg-grammar.y | 18 +++++-------------
cfg-lex.l | 3 ---
fdread.c | 9 ++++++++-
fdread.h | 11 ++++++++---
fdwrite.c | 5 +----
fdwrite.h | 1 +
tlscontext.c | 38 +++++++++++++++++++++++++++++++++++++-
tlswrite.c | 33 ++++++++-------------------------
10 files changed, 80 insertions(+), 52 deletions(-)
More information about the Syslog-ng-commit
mailing list