diff options
| author |   jsing <jsing@openbsd.org> | 2015-03-31 14:03:38 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2015-03-31 14:03:38 +0000 |
| commit | e1e4dea2b52940f45c0895e151bb50c59d22d0d7 (patch) | |
| tree | b9ee691f53d28686c32e7aebc35a0b6163c6d70b /lib/libtls | |
| parent | Do not iterate past the size of the array. (diff) | |
| download | wireguard-openbsd-e1e4dea2b52940f45c0895e151bb50c59d22d0d7.tar.xz wireguard-openbsd-e1e4dea2b52940f45c0895e151bb50c59d22d0d7.zip | |
Provide a tls_accept_fds() function, which allows a TLS connection to be
accepted via an existing pair of file descriptors.
Based on a diff from Jan Klemkow.
Diffstat (limited to 'lib/libtls')
| -rw-r--r-- | lib/libtls/Makefile | 3 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 20 | ||||
| -rw-r--r-- | lib/libtls/tls_server.c | 21 |
4 files changed, 39 insertions, 9 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index e5434f50712..9d88c15923a 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2015/02/22 15:09:54 jsing Exp $ +# $OpenBSD: Makefile,v 1.8 2015/03/31 14:03:38 jsing Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -49,6 +49,7 @@ MLINKS+=tls_init.3 tls_connect.3 MLINKS+=tls_init.3 tls_connect_fds.3 MLINKS+=tls_init.3 tls_connect_servername.3 MLINKS+=tls_init.3 tls_connect_socket.3 +MLINKS+=tls_init.3 tls_accept_fds.3 MLINKS+=tls_init.3 tls_accept_socket.3 MLINKS+=tls_init.3 tls_read.3 MLINKS+=tls_init.3 tls_write.3 diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index de58b92963f..e9971ade0e0 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.11 2015/02/26 10:36:30 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.12 2015/03/31 14:03:38 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -72,6 +72,8 @@ int tls_configure(struct tls *_ctx, struct tls_config *_config); void tls_reset(struct tls *_ctx); void tls_free(struct tls *_ctx); +int tls_accept_fds(struct tls *_ctx, struct tls **_cctx, int _fd_read, + int _fd_write); int tls_accept_socket(struct tls *_ctx, struct tls **_cctx, int _socket); int tls_connect(struct tls *_ctx, const char *_host, const char *_port); int tls_connect_fds(struct tls *_ctx, int _fd_read, int _fd_write, diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 3e888115e8f..f038f9313af 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.18 2015/02/22 15:09:54 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.19 2015/03/31 14:03:38 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 22 2015 $ +.Dd $Mdocdate: March 31 2015 $ .Dt TLS 3 .Os .Sh NAME @@ -50,6 +50,7 @@ .Nm tls_connect_fds , .Nm tls_connect_servername , .Nm tls_connect_socket , +.Nm tls_accept_fds , .Nm tls_accept_socket , .Nm tls_read , .Nm tls_write @@ -120,6 +121,8 @@ .Ft "int" .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *servername" .Ft "int" +.Fn tls_accept_fds "struct tls *tls" "struct tls **cctx" "int fd_read" "int fd_write" +.Ft "int" .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket" .Ft "int" .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen" @@ -180,6 +183,9 @@ file descriptors by calling A server can accept a new client connection by calling .Fn tls_accept_socket on an already established socket connection. +Alternatively, a new client connection can be accepted over a pair of existing +file descriptors by calling +.Fn tls_accept_fds . .Pp Two functions are provided for input and output, .Fn tls_read @@ -357,6 +363,16 @@ connects a client context to a pair of existing file descriptors. .Fn tls_connect_socket connects a client context to an already established socket connection. .It +.Fn tls_accept_fds +creates a new context suitable for reading and writing on an existing pair of +file descriptors and returns it in +.Fa *cctx . +A configured server context should be passed in +.Fa ctx +and +.Fa *cctx +should be initialized to NULL. +.It .Fn tls_accept_socket creates a new context suitable for reading and writing on an already established socket connection and returns it in diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index cbe064e2f5e..55b19e472c0 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.6 2015/03/31 12:21:27 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.7 2015/03/31 14:03:38 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -99,7 +99,7 @@ err: } int -tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) +tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write) { struct tls *conn_ctx = *cctx; int ret, err; @@ -116,14 +116,13 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) } *cctx = conn_ctx; - conn_ctx->socket = socket; - if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { tls_set_error(ctx, "ssl failure"); goto err; } - if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) { + if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || + SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { tls_set_error(ctx, "ssl set fd failure"); goto err; } @@ -143,3 +142,15 @@ tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) err: return (-1); } + +int +tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) +{ + int rv; + + rv = tls_accept_fds(ctx, cctx, socket, socket); + if (*cctx != NULL) + (*cctx)->socket = socket; + + return (rv); +} |