On Thu, 30 Oct 2014, Jan Klemkow wrote:
> Hello,
>
> This diff enables libressl to use two file descriptors for read and
> write. This is feature is necessary for communication over two pipes
> like in the UCSPI protocol [1]. resslc[3] is a general ssl-client.
>
> +-----------+ +--------+ +--------+
>
> | tcpserver | --> | resslc | --> | client |
> |
> | | <-- | | <-- | |
>
> +-----------+ +--------+ +--------+
>
> This diff adds a new function ressl_set_fds() to set a separate file
> descriptors for read and write inside of the ressl context structure.
> The function ressl_connect_socket() sets the read and write file
> descriptors if their were set before. I also adapt the related manpage.
How about this API - instead of having a (now) tls_set_fds() function and then
calling tls_connect_socket(), you call tls_connect_fds() directly if you need
that functionality?
Also, should tls_close() handle the read/write file descriptors or leave them
for the caller to close?
> This approach may not the best to get this feature. I am open to every
> idea that solves this problem in a better way. I am not sure whether it
> is nessacery to touch shlib_version. So, I leave it untouched.
When adding new symbols shlib_version should be bumped, but whoever commits
would handle that.
Index: tls.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls.c,v
retrieving revision 1.1
diff -u -p -r1.1 tls.c
--- tls.c 31 Oct 2014 13:46:17 -0000 1.1
+++ tls.c 31 Oct 2014 16:20:52 -0000
@@ -217,6 +217,8 @@ tls_reset(struct tls *ctx)
ctx->ssl_conn = NULL;
ctx->ssl_ctx = NULL;
+ ctx->fd_read = -1;
+ ctx->fd_write = -1;
ctx->socket = -1;
ctx->err = 0;
Index: tls.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.1
diff -u -p -r1.1 tls.h
--- tls.h 31 Oct 2014 13:46:17 -0000 1.1
+++ tls.h 31 Oct 2014 16:20:52 -0000
@@ -66,6 +66,8 @@ void tls_free(struct tls *ctx);
int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket);
int tls_connect(struct tls *ctx, const char *host, const char *port);
+int tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+ const char *hostname);
int tls_connect_socket(struct tls *ctx, int s, const char *hostname);
int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen);
int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen);
Index: tls_client.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_client.c,v
retrieving revision 1.1
diff -u -p -r1.1 tls_client.c
--- tls_client.c 31 Oct 2014 13:46:17 -0000 1.1
+++ tls_client.c 31 Oct 2014 16:20:52 -0000
@@ -123,6 +123,15 @@ err:
int
tls_connect_socket(struct tls *ctx, int socket, const char *hostname)
{
+ ctx->socket = socket;
+
+ return tls_connect_fds(ctx, socket, socket, hostname);
+}
+
+int
+tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
+ const char *hostname)
+{
union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
X509 *cert = NULL;
int ret;
@@ -132,7 +141,13 @@ tls_connect_socket(struct tls *ctx, int
goto err;
}
- ctx->socket = socket;
+ if (fd_read < 0 || fd_write < 0) {
+ tls_set_error(ctx, "invalid file descriptors");
+ return (-1);
+ }
+
+ ctx->fd_read = fd_read;
+ ctx->fd_write = fd_write;
if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
tls_set_error(ctx, "ssl context failure");
@@ -166,7 +181,8 @@ tls_connect_socket(struct tls *ctx, int
tls_set_error(ctx, "ssl connection failure");
goto err;
}
- if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) {
+ if (SSL_set_rfd(ctx->ssl_conn, ctx->fd_read) != 1 ||
+ SSL_set_wfd(ctx->ssl_conn, ctx->fd_write) != 1) {
tls_set_error(ctx, "ssl file descriptor failure");
goto err;
}
Index: tls_internal.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls_internal.h,v
retrieving revision 1.1
diff -u -p -r1.1 tls_internal.h
--- tls_internal.h 31 Oct 2014 13:46:17 -0000 1.1
+++ tls_internal.h 31 Oct 2014 16:20:52 -0000
@@ -53,6 +53,8 @@ struct tls {
int err;
char *errmsg;
+ int fd_read;
+ int fd_write;
int socket;
SSL *ssl_conn;
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
