diff options
| author | jsing <> | 2015-03-31 14:03:38 +0000 |
|---|---|---|
| committer | jsing <> | 2015-03-31 14:03:38 +0000 |
| commit | 6532e10a84a6b48e6521919594e1bd396ddacdb6 (patch) | |
| tree | c543b48853afa3779822fdf734c77e67d886bf12 /src | |
| parent | 3ae32b082287786588f78075822ef3789949ab74 (diff) | |
| download | openbsd-6532e10a84a6b48e6521919594e1bd396ddacdb6.tar.gz openbsd-6532e10a84a6b48e6521919594e1bd396ddacdb6.tar.bz2 openbsd-6532e10a84a6b48e6521919594e1bd396ddacdb6.zip | |
Provide a tls_accept_fds() function, which allows a TLS connection to be
accepted via an existing pair of file descriptors.
Based on a diff from Jan Klemkow.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/Makefile | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 20 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 21 |
4 files changed, 39 insertions, 9 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile index e5434f5071..9d88c15923 100644 --- a/src/lib/libtls/Makefile +++ b/src/lib/libtls/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.7 2015/02/22 15:09:54 jsing Exp $ | 1 | # $OpenBSD: Makefile,v 1.8 2015/03/31 14:03:38 jsing Exp $ |
| 2 | 2 | ||
| 3 | CFLAGS+= -Wall -Werror -Wimplicit | 3 | CFLAGS+= -Wall -Werror -Wimplicit |
| 4 | CFLAGS+= -DLIBRESSL_INTERNAL | 4 | CFLAGS+= -DLIBRESSL_INTERNAL |
| @@ -49,6 +49,7 @@ MLINKS+=tls_init.3 tls_connect.3 | |||
| 49 | MLINKS+=tls_init.3 tls_connect_fds.3 | 49 | MLINKS+=tls_init.3 tls_connect_fds.3 |
| 50 | MLINKS+=tls_init.3 tls_connect_servername.3 | 50 | MLINKS+=tls_init.3 tls_connect_servername.3 |
| 51 | MLINKS+=tls_init.3 tls_connect_socket.3 | 51 | MLINKS+=tls_init.3 tls_connect_socket.3 |
| 52 | MLINKS+=tls_init.3 tls_accept_fds.3 | ||
| 52 | MLINKS+=tls_init.3 tls_accept_socket.3 | 53 | MLINKS+=tls_init.3 tls_accept_socket.3 |
| 53 | MLINKS+=tls_init.3 tls_read.3 | 54 | MLINKS+=tls_init.3 tls_read.3 |
| 54 | MLINKS+=tls_init.3 tls_write.3 | 55 | MLINKS+=tls_init.3 tls_write.3 |
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index de58b92963..e9971ade0e 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.11 2015/02/26 10:36:30 jsing Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.12 2015/03/31 14:03:38 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -72,6 +72,8 @@ int tls_configure(struct tls *_ctx, struct tls_config *_config); | |||
| 72 | void tls_reset(struct tls *_ctx); | 72 | void tls_reset(struct tls *_ctx); |
| 73 | void tls_free(struct tls *_ctx); | 73 | void tls_free(struct tls *_ctx); |
| 74 | 74 | ||
| 75 | int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read, | ||
| 76 | int _fd_write); | ||
| 75 | int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket); | 77 | int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket); |
| 76 | int tls_connect(struct tls *_ctx, const char *_host, const char *_port); | 78 | int tls_connect(struct tls *_ctx, const char *_host, const char *_port); |
| 77 | int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write, | 79 | int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write, |
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 3e888115e8..f038f9313a 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.18 2015/02/22 15:09:54 jsing Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.19 2015/03/31 14:03:38 jsing Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> |
| 4 | .\" | 4 | .\" |
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 16 | .\" | 16 | .\" |
| 17 | .Dd $Mdocdate: February 22 2015 $ | 17 | .Dd $Mdocdate: March 31 2015 $ |
| 18 | .Dt TLS 3 | 18 | .Dt TLS 3 |
| 19 | .Os | 19 | .Os |
| 20 | .Sh NAME | 20 | .Sh NAME |
| @@ -50,6 +50,7 @@ | |||
| 50 | .Nm tls_connect_fds , | 50 | .Nm tls_connect_fds , |
| 51 | .Nm tls_connect_servername , | 51 | .Nm tls_connect_servername , |
| 52 | .Nm tls_connect_socket , | 52 | .Nm tls_connect_socket , |
| 53 | .Nm tls_accept_fds , | ||
| 53 | .Nm tls_accept_socket , | 54 | .Nm tls_accept_socket , |
| 54 | .Nm tls_read , | 55 | .Nm tls_read , |
| 55 | .Nm tls_write | 56 | .Nm tls_write |
| @@ -120,6 +121,8 @@ | |||
| 120 | .Ft "int" | 121 | .Ft "int" |
| 121 | .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername" | 122 | .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername" |
| 122 | .Ft "int" | 123 | .Ft "int" |
| 124 | .Fn tls_accept_fds "struct tls *tls" "struct tls **cctx" "int fd_read" "int fd_write" | ||
| 125 | .Ft "int" | ||
| 123 | .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket" | 126 | .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket" |
| 124 | .Ft "int" | 127 | .Ft "int" |
| 125 | .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen" | 128 | .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen" |
| @@ -180,6 +183,9 @@ file descriptors by calling | |||
| 180 | A server can accept a new client connection by calling | 183 | A server can accept a new client connection by calling |
| 181 | .Fn tls_accept_socket | 184 | .Fn tls_accept_socket |
| 182 | on an already established socket connection. | 185 | on an already established socket connection. |
| 186 | Alternatively, a new client connection can be accepted over a pair of existing | ||
| 187 | file descriptors by calling | ||
| 188 | .Fn tls_accept_fds . | ||
| 183 | .Pp | 189 | .Pp |
| 184 | Two functions are provided for input and output, | 190 | Two functions are provided for input and output, |
| 185 | .Fn tls_read | 191 | .Fn tls_read |
| @@ -357,6 +363,16 @@ connects a client context to a pair of existing file descriptors. | |||
| 357 | .Fn tls_connect_socket | 363 | .Fn tls_connect_socket |
| 358 | connects a client context to an already established socket connection. | 364 | connects a client context to an already established socket connection. |
| 359 | .It | 365 | .It |
| 366 | .Fn tls_accept_fds | ||
| 367 | creates a new context suitable for reading and writing on an existing pair of | ||
| 368 | file descriptors and returns it in | ||
| 369 | .Fa *cctx . | ||
| 370 | A configured server context should be passed in | ||
| 371 | .Fa ctx | ||
| 372 | and | ||
| 373 | .Fa *cctx | ||
| 374 | should be initialized to NULL. | ||
| 375 | .It | ||
| 360 | .Fn tls_accept_socket | 376 | .Fn tls_accept_socket |
| 361 | creates a new context suitable for reading and writing on an already | 377 | creates a new context suitable for reading and writing on an already |
| 362 | established socket connection and returns it in | 378 | established socket connection and returns it in |
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index cbe064e2f5..55b19e472c 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.6 2015/03/31 12:21:27 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.7 2015/03/31 14:03:38 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -99,7 +99,7 @@ err: | |||
| 99 | } | 99 | } |
| 100 | 100 | ||
| 101 | int | 101 | int |
| 102 | tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) | 102 | tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) |
| 103 | { | 103 | { |
| 104 | struct tls *conn_ctx = *cctx; | 104 | struct tls *conn_ctx = *cctx; |
| 105 | int ret, err; | 105 | int ret, err; |
| @@ -116,14 +116,13 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) | |||
| 116 | } | 116 | } |
| 117 | *cctx = conn_ctx; | 117 | *cctx = conn_ctx; |
| 118 | 118 | ||
| 119 | conn_ctx->socket = socket; | ||
| 120 | |||
| 121 | if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { | 119 | if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { |
| 122 | tls_set_error(ctx, "ssl failure"); | 120 | tls_set_error(ctx, "ssl failure"); |
| 123 | goto err; | 121 | goto err; |
| 124 | } | 122 | } |
| 125 | 123 | ||
| 126 | if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) { | 124 | if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || |
| 125 | SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { | ||
| 127 | tls_set_error(ctx, "ssl set fd failure"); | 126 | tls_set_error(ctx, "ssl set fd failure"); |
| 128 | goto err; | 127 | goto err; |
| 129 | } | 128 | } |
| @@ -143,3 +142,15 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) | |||
| 143 | err: | 142 | err: |
| 144 | return (-1); | 143 | return (-1); |
| 145 | } | 144 | } |
| 145 | |||
| 146 | int | ||
| 147 | tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) | ||
| 148 | { | ||
| 149 | int rv; | ||
| 150 | |||
| 151 | rv = tls_accept_fds(ctx, cctx, socket, socket); | ||
| 152 | if (*cctx != NULL) | ||
| 153 | (*cctx)->socket = socket; | ||
| 154 | |||
| 155 | return (rv); | ||
| 156 | } | ||