Add a tls_connect_fds() function that allows a secure connection to be

established using a pair of existing file descriptors.

Based on a diff/request from Jan Klemkow.

Rides previous libtls rename/library bump.

Discussed with tedu@.

3 files changed, 34 insertions, 6 deletions

diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 0fa776e584..21e1d74b35 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.2 2014/11/02 14:45:05 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -66,6 +66,8 @@ void tls_free(struct tls *ctx);
 
 int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
 int tls_connect(struct tls *ctx, const char *host, const char *port);
+int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+    const char *hostname);
 int tls_connect_socket(struct tls *ctx, int s, const char *hostname);
 int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
 int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 853766f87b..a4528b9b87 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.2 2014/11/02 14:45:05 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -123,6 +123,15 @@ err:
 int
 tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
 {
+        ctx->socket = socket;
+
+        return tls_connect_fds(ctx, socket, socket, hostname);
+}
+
+int
+tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+    const char *hostname)
+{
         union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
         X509 *cert = NULL;
         int ret;
@@ -132,7 +141,10 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
                 goto err;
         }
 
-        ctx->socket = socket;
+        if (fd_read < 0 || fd_write < 0) {
+                tls_set_error(ctx, "invalid file descriptors");
+                return (-1);
+        }
 
         if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
                 tls_set_error(ctx, "ssl context failure");
@@ -166,7 +178,8 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
                 tls_set_error(ctx, "ssl connection failure");
                 goto err;
         }
-        if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
+        if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
+            SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
                 tls_set_error(ctx, "ssl file descriptor failure");
                 goto err;
         }
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index faa9b99539..5873f15686 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.2 2014/11/02 14:45:05 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 31 2014 $
+.Dd $Mdocdate: November 2 2014 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .Nm tls_close ,
 .Nm tls_free ,
 .Nm tls_connect ,
+.Nm tls_connect_fds ,
 .Nm tls_connect_socket ,
 .Nm tls_read ,
 .Nm tls_write ,
@@ -100,6 +101,8 @@
 .Ft "int"
 .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
 .Ft "int"
+.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname"
+.Ft "int"
 .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname"
 .Ft "int"
 .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen"
@@ -146,6 +149,9 @@ This function will create a new socket, connect to the specified host and
 port, and then establish a secure connection.
 An already existing socket can be upgraded to a secure connection by calling
 .Fn tls_connect_socket .
+Alternatively, a secure connection can be established over a pair of existing
+file descriptors by calling
+.Fn tls_connect_fds .
 .Pp
 Two functions are provided for input and output,
 .Fn tls_read
@@ -263,6 +269,10 @@ options.
 .It
 .Fn tls_close
 closes a connection after use.
+If the connection was established using
+.Fn tls_connect_fds ,
+only the TLS layer will be closed and it is the caller's responsibility to close
+the file descriptors.
 .It
 .Fn tls_free
 frees a tls context after use.
@@ -280,6 +290,9 @@ The
 may be numeric or a service name.
 If it is NULL then a host of the format "hostname:port" is permitted.
 .It
+.Fn tls_connect_fds
+connects a client context to a pair of existing file descriptors.
+.It
 .Fn tls_connect_socket
 connects a client context to an already established socket connection.
 .It