On Sat, 1 Nov 2014, Jan Klemkow wrote:
> On Fri, Oct 31, 2014 at 09:18:26PM -0700, Doug Hogan wrote:
> > On Sat, Nov 01, 2014 at 03:07:24AM +0100, Jan Klemkow wrote:
> > > Index: tls_client.c
> > > ===================================================================
> > > RCS file: /cvs/src/lib/libtls/tls_client.c,v
> > > retrieving revision 1.1
> > > diff -u -p -r1.1 tls_client.c
> > > --- tls_client.c 31 Oct 2014 13:46:17 -0000 1.1
> > > +++ tls_client.c 1 Nov 2014 01:50:56 -0000
> > > @@ -123,6 +123,13 @@ err:
> > > int
> > > tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
> > > {
> > > + return tls_connect_fds(ctx, socket, socket, hostname);
> > > +}
> >
> > This changes the behavior of tls_connect_socket() and tls_connect().
> > Joel's diff set ctx->socket = socket before calling tls_connect_fds() so
> > it would behave the same. When you call tls_close(ctx), it will close
> > ctx->socket in the existing code and Joel's diff.
> >
> > I don't think you want to change the semantics like this. I think
> > either tls_connect_fds() is the special case where you need to manually
> > close the sockets or tls_close() should close everything. With the
> > above change, even people calling tls_connect() will need to save one of
> > the fd_(read|write) before calling tls_close() and then close the fd
> > afterward.
>
> Oh, sorry. This is my fault. I experimented a little bit and forgot
> this part. I corrected it in the diff below. Additionally I add some
> extra information about the closing behavior inside of the manpage.
Thanks. I've just committed a slightly different version of this.
> Thanks,
> Jan
>
> Index: tls.c
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls.c,v
> retrieving revision 1.1
> diff -u -p -r1.1 tls.c
> --- tls.c 31 Oct 2014 13:46:17 -0000 1.1
> +++ tls.c 1 Nov 2014 11:59:36 -0000
> @@ -217,6 +217,8 @@ tls_reset(struct tls *ctx)
> ctx->ssl_conn = NULL;
> ctx->ssl_ctx = NULL;
>
> + ctx->fd_read = -1;
> + ctx->fd_write = -1;
> ctx->socket = -1;
>
> ctx->err = 0;
> @@ -290,6 +292,8 @@ tls_close(struct tls *ctx)
> tls_set_error(ctx, "close");
> goto err;
> }
> + ctx->fd_read = -1;
> + ctx->fd_write = -1;
> ctx->socket = -1;
> }
>
> Index: tls.h
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls.h,v
> retrieving revision 1.1
> diff -u -p -r1.1 tls.h
> --- tls.h 31 Oct 2014 13:46:17 -0000 1.1
> +++ tls.h 1 Nov 2014 11:59:36 -0000
> @@ -66,6 +66,8 @@ void tls_free(struct tls *ctx);
>
> int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
> int tls_connect(struct tls *ctx, const char *host, const char *port);
> +int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
> + const char *hostname);
> int tls_connect_socket(struct tls *ctx, int s, const char *hostname);
> int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
> int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t
> *outlen); Index: tls_client.c
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls_client.c,v
> retrieving revision 1.1
> diff -u -p -r1.1 tls_client.c
> --- tls_client.c 31 Oct 2014 13:46:17 -0000 1.1
> +++ tls_client.c 1 Nov 2014 11:59:36 -0000
> @@ -123,6 +123,15 @@ err:
> int
> tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
> {
> + ctx->socket = socket;
> +
> + return tls_connect_fds(ctx, socket, socket, hostname);
> +}
> +
> +int
> +tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
> + const char *hostname)
> +{
> union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
> X509 *cert = NULL;
> int ret;
> @@ -132,7 +141,13 @@ tls_connect_socket(struct tls *ctx, int
> goto err;
> }
>
> - ctx->socket = socket;
> + if (fd_read < 0 || fd_write < 0) {
> + tls_set_error(ctx, "invalid file descriptors");
> + return (-1);
> + }
> +
> + ctx->fd_read = fd_read;
> + ctx->fd_write = fd_write;
>
> if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
> tls_set_error(ctx, "ssl context failure");
> @@ -166,7 +181,8 @@ tls_connect_socket(struct tls *ctx, int
> tls_set_error(ctx, "ssl connection failure");
> goto err;
> }
> - if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
> + if (SSL_set_rfd(ctx->ssl_conn, ctx->fd_read) != 1 ||
> + SSL_set_wfd(ctx->ssl_conn, ctx->fd_write) != 1) {
> tls_set_error(ctx, "ssl file descriptor failure");
> goto err;
> }
> Index: tls_init.3
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls_init.3,v
> retrieving revision 1.1
> diff -u -p -r1.1 tls_init.3
> --- tls_init.3 31 Oct 2014 13:46:17 -0000 1.1
> +++ tls_init.3 1 Nov 2014 11:59:36 -0000
> @@ -43,6 +43,7 @@
> .Nm tls_close ,
> .Nm tls_free ,
> .Nm tls_connect ,
> +.Nm tls_connect_fds ,
> .Nm tls_connect_socket ,
> .Nm tls_read ,
> .Nm tls_write ,
> @@ -100,6 +101,8 @@
> .Ft "int"
> .Fn tls_connect "struct tls *ctx" "const char *host" "const char *port"
> .Ft "int"
> +.Fn tls_connect_fds "struct tls *ctx" "int fd_read" "int fd_write" "const
> char *hostname" +.Ft "int"
> .Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname"
> .Ft "int"
> .Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t
> *outlen" @@ -146,6 +149,9 @@ This function will create a new socket,
> port, and then establish a secure connection.
> An already existing socket can be upgraded to a secure connection by
> calling .Fn tls_connect_socket .
> +An already existing connection with two separate file descriptors for read
> and +write can be upgraded to a secure connection by calling
> +.Fn tls_connect_fds .
> .Pp
> Two functions are provided for input and output,
> .Fn tls_read
> @@ -158,6 +164,13 @@ should be closed with
> .Fn tls_close ,
> and then freed by calling
> .Fn tls_free .
> +If
> +.Fn tls_connect_fds
> +was used to connect before, only the TLS layer will be closed by calling
> +.Fn tls_close .
> +The caller have to close the file descriptors which were used by
> +.Fn tls_connect_fds
> +by itself.
> When no more contexts are to be created, the
> .Em tls_config
> object should be freed by calling
> @@ -279,6 +292,10 @@ The
> .Fa port
> may be numeric or a service name.
> If it is NULL then a host of the format "hostname:port" is permitted.
> +.It
> +.Fn tls_connect_fds
> +connects a client context to an already established connection with two
> separate +file descriptors for read and write.
> .It
> .Fn tls_connect_socket
> connects a client context to an already established socket connection.
> Index: tls_internal.h
> ===================================================================
> RCS file: /cvs/src/lib/libtls/tls_internal.h,v
> retrieving revision 1.1
> diff -u -p -r1.1 tls_internal.h
> --- tls_internal.h 31 Oct 2014 13:46:17 -0000 1.1
> +++ tls_internal.h 1 Nov 2014 11:59:36 -0000
> @@ -53,6 +53,8 @@ struct tls {
> int err;
> char *errmsg;
>
> + int fd_read;
> + int fd_write;
> int socket;
>
> SSL *ssl_conn;
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
