Provide a tls_accept_fds() function, which allows a TLS connection to be

accepted via an existing pair of file descriptors.

Based on a diff from Jan Klemkow.

1 files changed, 16 insertions, 5 deletions

diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index cbe064e2f5..55b19e472c 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.6 2015/03/31 12:21:27 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.7 2015/03/31 14:03:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,7 +99,7 @@ err:
 }
 
 int
-tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
+tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
 {
         struct tls *conn_ctx = *cctx;
         int ret, err;
@@ -116,14 +116,13 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
                 }
                 *cctx = conn_ctx;
 
-                conn_ctx->socket = socket;
-
                 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
                         tls_set_error(ctx, "ssl failure");
                         goto err;
                 }
 
-                if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) {
+                if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
+                    SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
                         tls_set_error(ctx, "ssl set fd failure");
                         goto err;
                 }
@@ -143,3 +142,15 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
 err:
         return (-1);
 }
+
+int
+tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
+{
+        int rv;
+
+        rv = tls_accept_fds(ctx, cctx, socket, socket);
+        if (*cctx != NULL)
+                (*cctx)->socket = socket;
+
+        return (rv);
+}