diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/tls.h | 4 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c | 19 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 17 |
3 files changed, 34 insertions, 6 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 0fa776e584c..21e1d74b357 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.2 2014/11/02 14:45:05 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -66,6 +66,8 @@ void tls_free(struct tls *ctx); int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket); int tls_connect(struct tls *ctx, const char *host, const char *port); +int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, + const char *hostname); int tls_connect_socket(struct tls *ctx, int s, const char *hostname); int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen); int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index 853766f87b6..a4528b9b873 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.2 2014/11/02 14:45:05 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -123,6 +123,15 @@ err: int tls_connect_socket(struct tls *ctx, int socket, const char *hostname) { + ctx->socket = socket; + + return tls_connect_fds(ctx, socket, socket, hostname); +} + +int +tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, + const char *hostname) +{ union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; X509 *cert = NULL; int ret; @@ -132,7 +141,10 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname) goto err; } - ctx->socket = socket; + if (fd_read < 0 || fd_write < 0) { + tls_set_error(ctx, "invalid file descriptors"); + return (-1); + } if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { tls_set_error(ctx, "ssl context failure"); @@ -166,7 +178,8 @@ tls_connect_socket(struct tls *ctx, int socket, const char *hostname) tls_set_error(ctx, "ssl connection failure"); goto err; } - if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) { + if (SSL_set_rfd(ctx->ssl_conn, fd_read) != 1 || + SSL_set_wfd(ctx->ssl_conn, fd_write) != 1) { tls_set_error(ctx, "ssl file descriptor failure"); goto err; } diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index faa9b995393..5873f156864 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.2 2014/11/02 14:45:05 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 31 2014 $ +.Dd $Mdocdate: November 2 2014 $ .Dt TLS 3 .Os .Sh NAME @@ -43,6 +43,7 @@ .Nm tls_close , .Nm tls_free , .Nm tls_connect , +.Nm tls_connect_fds , .Nm tls_connect_socket , .Nm tls_read , .Nm tls_write , @@ -100,6 +101,8 @@ .Ft "int" .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port" .Ft "int" +.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const char *hostname" +.Ft "int" .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname" .Ft "int" .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen" @@ -146,6 +149,9 @@ This function will create a new socket, connect to the specified host and port, and then establish a secure connection. An already existing socket can be upgraded to a secure connection by calling .Fn tls_connect_socket . +Alternatively, a secure connection can be established over a pair of existing +file descriptors by calling +.Fn tls_connect_fds . .Pp Two functions are provided for input and output, .Fn tls_read @@ -263,6 +269,10 @@ options. .It .Fn tls_close closes a connection after use. +If the connection was established using +.Fn tls_connect_fds , +only the TLS layer will be closed and it is the caller's responsibility to close +the file descriptors. .It .Fn tls_free frees a tls context after use. @@ -280,6 +290,9 @@ The may be numeric or a service name. If it is NULL then a host of the format "hostname:port" is permitted. .It +.Fn tls_connect_fds +connects a client context to a pair of existing file descriptors. +.It .Fn tls_connect_socket connects a client context to an already established socket connection. .It |