From ae4a0ba982e7f6609f71539c65c23a5bdfdf446d Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 2 Nov 2014 14:45:05 +0000
Subject: Add a tls_connect_fds() function that allows a secure connection to
 be established using a pair of existing file descriptors.

Based on a diff/request from Jan Klemkow.

Rides previous libtls rename/library bump.

Discussed with tedu@.
---
 src/lib/libtls/tls.h        |  4 +++-
 src/lib/libtls/tls_client.c | 19 ++++++++++++++++---
 src/lib/libtls/tls_init.3   | 17 +++++++++++++++--
 3 files changed, 34 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 0fa776e584..21e1d74b35 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.2 2014/11/02 14:45:05 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -66,6 +66,8 @@ void tls_free(struct tls *ctx);
 
 int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
 int tls_connect(struct tls *ctx, const char *host, const char *port);
+int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+    const char *hostname);
 int tls_connect_socket(struct tls *ctx, int s, const char *hostname);
 int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
 int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 853766f87b..a4528b9b87 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.2 2014/11/02 14:45:05 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -122,6 +122,15 @@ err:
 
 int
 tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
+{
+	ctx->socket = socket;
+
+	return tls_connect_fds(ctx, socket, socket, hostname);
+}
+
+int
+tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+    const char *hostname)
 {
 	union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
 	X509 *cert = NULL;
@@ -132,7 +141,10 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
 		goto err;
 	}
 
-	ctx->socket = socket;
+	if (fd_read < 0 || fd_write < 0) {
+		tls_set_error(ctx, "invalid file descriptors");
+		return (-1);
+	}
 
 	if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
 		tls_set_error(ctx, "ssl context failure");
@@ -166,7 +178,8 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
 		tls_set_error(ctx, "ssl connection failure");
 		goto err;
 	}
-	if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
+	if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 ||
+	    SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) {
 		tls_set_error(ctx, "ssl file descriptor failure");
 		goto err;
 	}
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index faa9b99539..5873f15686 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.2 2014/11/02 14:45:05 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 31 2014 $
+.Dd $Mdocdate: November 2 2014 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .Nm tls_close ,
 .Nm tls_free ,
 .Nm tls_connect ,
+.Nm tls_connect_fds ,
 .Nm tls_connect_socket ,
 .Nm tls_read ,
 .Nm tls_write ,
@@ -100,6 +101,8 @@
 .Ft "int"
 .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
 .Ft "int"
+.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname"
+.Ft "int"
 .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname"
 .Ft "int"
 .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen"
@@ -146,6 +149,9 @@ This function will create a new socket, connect to the specified host and
 port, and then establish a secure connection.
 An already existing socket can be upgraded to a secure connection by calling
 .Fn tls_connect_socket .
+Alternatively, a secure connection can be established over a pair of existing
+file descriptors by calling
+.Fn tls_connect_fds .
 .Pp
 Two functions are provided for input and output,
 .Fn tls_read
@@ -263,6 +269,10 @@ options.
 .It
 .Fn tls_close
 closes a connection after use.
+If the connection was established using
+.Fn tls_connect_fds ,
+only the TLS layer will be closed and it is the caller's responsibility to close
+the file descriptors.
 .It
 .Fn tls_free
 frees a tls context after use.
@@ -280,6 +290,9 @@ The
 may be numeric or a service name.
 If it is NULL then a host of the format "hostname:port" is permitted.
 .It
+.Fn tls_connect_fds
+connects a client context to a pair of existing file descriptors.
+.It
 .Fn tls_connect_socket
 connects a client context to an already established socket connection.
 .It
-- 
cgit v1.2.3-55-g6feb