Provide a tls_accept_fds() function, which allows a TLS connection to be

accepted via an existing pair of file descriptors.

Based on a diff from Jan Klemkow.

4 files changed, 39 insertions, 9 deletions

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index e5434f5071..9d88c15923 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.7 2015/02/22 15:09:54 jsing Exp $
+#       $OpenBSD: Makefile,v 1.8 2015/03/31 14:03:38 jsing Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -49,6 +49,7 @@ MLINKS+=tls_init.3 tls_connect.3
 MLINKS+=tls_init.3 tls_connect_fds.3
 MLINKS+=tls_init.3 tls_connect_servername.3
 MLINKS+=tls_init.3 tls_connect_socket.3
+MLINKS+=tls_init.3 tls_accept_fds.3
 MLINKS+=tls_init.3 tls_accept_socket.3
 MLINKS+=tls_init.3 tls_read.3
 MLINKS+=tls_init.3 tls_write.3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index de58b92963..e9971ade0e 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.11 2015/02/26 10:36:30 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.12 2015/03/31 14:03:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -72,6 +72,8 @@ int tls_configure(struct tls *_ctx, struct tls_config *_config);
 void tls_reset(struct tls *_ctx);
 void tls_free(struct tls *_ctx);
 
+int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read,
+    int _fd_write);
 int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket);
 int tls_connect(struct tls *_ctx, const char *_host, const char *_port);
 int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write,
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 3e888115e8..f038f9313a 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.18 2015/02/22 15:09:54 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.19 2015/03/31 14:03:38 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 22 2015 $
+.Dd $Mdocdate: March 31 2015 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -50,6 +50,7 @@
 .Nm tls_connect_fds ,
 .Nm tls_connect_servername ,
 .Nm tls_connect_socket ,
+.Nm tls_accept_fds ,
 .Nm tls_accept_socket ,
 .Nm tls_read ,
 .Nm tls_write
@@ -120,6 +121,8 @@
 .Ft "int"
 .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername"
 .Ft "int"
+.Fn tls_accept_fds "struct tls *tls" "struct tls **cctx" "int fd_read" "int fd_write"
+.Ft "int"
 .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket"
 .Ft "int"
 .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen"
@@ -180,6 +183,9 @@ file descriptors by calling
 A server can accept a new client connection by calling
 .Fn tls_accept_socket
 on an already established socket connection.
+Alternatively, a new client connection can be accepted over a pair of existing
+file descriptors by calling
+.Fn tls_accept_fds .
 .Pp
 Two functions are provided for input and output,
 .Fn tls_read
@@ -357,6 +363,16 @@ connects a client context to a pair of existing file descriptors.
 .Fn tls_connect_socket
 connects a client context to an already established socket connection.
 .It
+.Fn tls_accept_fds
+creates a new context suitable for reading and writing on an existing pair of
+file descriptors and returns it in
+.Fa *cctx .
+A configured server context should be passed in
+.Fa ctx
+and
+.Fa *cctx
+should be initialized to NULL.
+.It
 .Fn tls_accept_socket
 creates a new context suitable for reading and writing on an already
 established socket connection and returns it in
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index cbe064e2f5..55b19e472c 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.6 2015/03/31 12:21:27 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.7 2015/03/31 14:03:38 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -99,7 +99,7 @@ err:
 }
 
 int
-tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
+tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
 {
         struct tls *conn_ctx = *cctx;
         int ret, err;
@@ -116,14 +116,13 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
                 }
                 *cctx = conn_ctx;
 
-                conn_ctx->socket = socket;
-
                 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
                         tls_set_error(ctx, "ssl failure");
                         goto err;
                 }
 
-                if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) {
+                if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
+                    SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
                         tls_set_error(ctx, "ssl set fd failure");
                         goto err;
                 }
@@ -143,3 +142,15 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
 err:
         return (-1);
 }
+
+int
+tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
+{
+        int rv;
+
+        rv = tls_accept_fds(ctx, cctx, socket, socket);
+        if (*cctx != NULL)
+                (*cctx)->socket = socket;
+
+        return (rv);
+}