1 files changed, 134 insertions, 0 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
new file mode 100644
index 0000000000..001f19ded4
--- /dev/null
+++ b/src/lib/libtls/tls_server.c
@@ -0,0 +1,134 @@
+/* $OpenBSD: tls_server.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/*
+ * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/ec.h>
+#include <openssl/ssl.h>
+#include <tls.h>
+#include "tls_internal.h"
+struct tls *
+tls_server(void)
+{
+        struct tls *ctx;
+        if ((ctx = tls_new()) == NULL)
+                return (NULL);
+        ctx->flags |= TLS_SERVER;
+        return (ctx);
+}
+struct tls *
+tls_server_conn(struct tls *ctx)
+{
+        struct tls *conn_ctx;
+        if ((conn_ctx = tls_new()) == NULL)
+                return (NULL);
+        conn_ctx->flags |= TLS_SERVER_CONN;
+        return (conn_ctx);
+}
+int
+tls_configure_server(struct tls *ctx)
+{
+        EC_KEY *ecdh_key;
+        if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
+                tls_set_error(ctx, "ssl context failure");
+                goto err;
+        }
+        if (tls_configure_ssl(ctx) != 0)
+                goto err;
+        if (tls_configure_keypair(ctx) != 0)
+                goto err;
+        if (ctx->config->ecdhcurve == -1) {
+                SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
+        } else if (ctx->config->ecdhcurve != NID_undef) {
+                if ((ecdh_key = EC_KEY_new_by_curve_name(
+                    ctx->config->ecdhcurve)) == NULL) {
+                        tls_set_error(ctx, "failed to set ECDH curve");
+                        goto err;
+                }
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
+                SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key);
+                EC_KEY_free(ecdh_key);
+        }
+        return (0);
+err:
+        return (-1);
+}
+int
+tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket)
+{
+        struct tls *conn_ctx = *cctx;
+        int ret, ssl_err;
+        
+        if ((ctx->flags & TLS_SERVER) == 0) {
+                tls_set_error(ctx, "not a server context");
+                goto err;
+        }
+        if (conn_ctx == NULL) {
+                if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
+                        tls_set_error(ctx, "connection context failure");
+                        goto err;
+                }
+                *cctx = conn_ctx;
+                conn_ctx->socket = socket;
+                if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
+                        tls_set_error(ctx, "ssl failure");
+                        goto err;
+                }
+                if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) {
+                        tls_set_error(ctx, "ssl set fd failure");
+                        goto err;
+                }
+                SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx);
+        }
+        if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
+                ssl_err = SSL_get_error(conn_ctx->ssl_conn, ret);
+                switch (ssl_err) {
+                case SSL_ERROR_WANT_READ:
+                        return (TLS_READ_AGAIN);
+                case SSL_ERROR_WANT_WRITE:
+                        return (TLS_WRITE_AGAIN);
+                default:
+                        tls_set_error(ctx, "ssl accept failure (%i)",
+                            ssl_err);
+                        goto err;
+                }
+        }
+        return (0);
+err:
+        return (-1);
+}

diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c new file mode 100644 index 0000000000..001f19ded4 --- /dev/null +++ b/src/lib/libtls/tls_server.c
@@ -0,0 +1,134 @@
	1	/* $OpenBSD: tls_server.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
	2	/*
	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include <openssl/ec.h>
	19	#include <openssl/ssl.h>
	20
	21	#include <tls.h>
	22	#include "tls_internal.h"
	23
	24	struct tls *
	25	tls_server(void)
	26	{
	27	struct tls *ctx;
	28
	29	if ((ctx = tls_new()) == NULL)
	30	return (NULL);
	31
	32	ctx->flags \|= TLS_SERVER;
	33
	34	return (ctx);
	35	}
	36
	37	struct tls *
	38	tls_server_conn(struct tls *ctx)
	39	{
	40	struct tls *conn_ctx;
	41
	42	if ((conn_ctx = tls_new()) == NULL)
	43	return (NULL);
	44
	45	conn_ctx->flags \|= TLS_SERVER_CONN;
	46
	47	return (conn_ctx);
	48	}
	49
	50	int
	51	tls_configure_server(struct tls *ctx)
	52	{
	53	EC_KEY *ecdh_key;
	54
	55	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
	56	tls_set_error(ctx, "ssl context failure");
	57	goto err;
	58	}
	59
	60	if (tls_configure_ssl(ctx) != 0)
	61	goto err;
	62	if (tls_configure_keypair(ctx) != 0)
	63	goto err;
	64
	65	if (ctx->config->ecdhcurve == -1) {
	66	SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1);
	67	} else if (ctx->config->ecdhcurve != NID_undef) {
	68	if ((ecdh_key = EC_KEY_new_by_curve_name(
	69	ctx->config->ecdhcurve)) == NULL) {
	70	tls_set_error(ctx, "failed to set ECDH curve");
	71	goto err;
	72	}
	73	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
	74	SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key);
	75	EC_KEY_free(ecdh_key);
	76	}
	77
	78	return (0);
	79
	80	err:
	81	return (-1);
	82	}
	83
	84	int
	85	tls_accept_socket(struct tls ctx, struct tls *cctx, int socket)
	86	{
	87	struct tls conn_ctx = cctx;
	88	int ret, ssl_err;
	89
	90	if ((ctx->flags & TLS_SERVER) == 0) {
	91	tls_set_error(ctx, "not a server context");
	92	goto err;
	93	}
	94
	95	if (conn_ctx == NULL) {
	96	if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
	97	tls_set_error(ctx, "connection context failure");
	98	goto err;
	99	}
	100	*cctx = conn_ctx;
	101
	102	conn_ctx->socket = socket;
	103
	104	if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
	105	tls_set_error(ctx, "ssl failure");
	106	goto err;
	107	}
	108
	109	if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) {
	110	tls_set_error(ctx, "ssl set fd failure");
	111	goto err;
	112	}
	113	SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx);
	114	}
	115
	116	if ((ret = SSL_accept(conn_ctx->ssl_conn)) != 1) {
	117	ssl_err = SSL_get_error(conn_ctx->ssl_conn, ret);
	118	switch (ssl_err) {
	119	case SSL_ERROR_WANT_READ:
	120	return (TLS_READ_AGAIN);
	121	case SSL_ERROR_WANT_WRITE:
	122	return (TLS_WRITE_AGAIN);
	123	default:
	124	tls_set_error(ctx, "ssl accept failure (%i)",
	125	ssl_err);
	126	goto err;
	127	}
	128	}
	129
	130	return (0);
	131
	132	err:
	133	return (-1);
	134	}