[Syslog-ng-commit] syslog-ng--mainline: added TLS support for incoming TCP connections

Balazs Scheidler bazsi at balabit.hu
Wed Oct 25 09:59:42 CEST 2006 

Link: <http://intra.balabit/cgi-bin/viewarch.cgi/devel@balabit.hu--other-1/syslog-ng--mainline--2.1--patch-2>
Revision: syslog-ng--mainline--2.1--patch-2
Archive: devel at balabit.hu--other-1
Creator: Balazs Scheidler <bazsi at balabit.hu>
Date: Wed Oct 25 09:59:41 CEST 2006
Standard-date: 2006-10-25 07:59:41 GMT
New-files: src/.arch-ids/tlsread.c.id
    src/.arch-ids/tlsread.h.id src/tlsread.c src/tlsread.h
Modified-files: src/Makefile.am src/afsocket.c
    src/cfg-grammar.y src/cfg-lex.l src/fdread.c src/fdread.h
    src/fdwrite.c src/fdwrite.h src/tlscontext.c
    src/tlswrite.c
New-patches: devel at balabit.hu--other-1/syslog-ng--mainline--2.1--patch-2
Summary: added TLS support for incoming TCP connections
Keywords: 

	* src/afsocket.c (afsocket_sc_init): use TLSRead instance to fetch
	messages if self->tls_context is set,
	(afsocket_sd_set_tls_context): new function, called by the config
	parser to set a TLS context,

	* src/cfg-grammar.y (source_afinet_tcp_option): removed
	never-implemented crypt/auth/mac keywords, added TLS specific
	parsing code

	* src/cfg-lex.l: removed keywords for required/allow/deny

	* src/fdread.c (fd_read_free): use a function pointer to actually
	free the FDRead instance, moved the bulk of fd_read_free to a static function,
	(fd_read_free_method): the bulk of the task of freeing FDRead is moved here

	* src/fdwrite.c (fd_write_free_method): removed static qualifier

	* src/tlscontext.c (tls_context_setup_session): added CA
	verification setup code, initial handshake is now performed as a
	non-blocking operation during normal read/write, thus we need to
	call set_connect_state() and/or set_accept_state()

	* src/tlswrite.c (tls_write_write_method): removed the call to
	SSL_connect(), nonblocking handshake is performed instead, making
	the code much simpler,
	(tls_write_new): initialize cond to (G_IO_IN | G_IO_OUT) as the SSL
	handshake will define the exact I/O order, and it is possible that
	the client reads first (which is not the case, but let's leave that
	possibility delegated to libssl)

	* src/tlsread.c: new file, implements SSL wrapped reading

Diff stats:
 Makefile.am   |    2 +-
 afsocket.c    |   12 +++++++++++-
 cfg-grammar.y |   18 +++++-------------
 cfg-lex.l     |    3 ---
 fdread.c      |    9 ++++++++-
 fdread.h      |   11 ++++++++---
 fdwrite.c     |    5 +----
 fdwrite.h     |    1 +
 tlscontext.c  |   38 +++++++++++++++++++++++++++++++++++++-
 tlswrite.c    |   33 ++++++++-------------------------
 10 files changed, 80 insertions(+), 52 deletions(-)

More information about the Syslog-ng-commit mailing list