3 I've been hacking together a way to use rsync with OpenSSL, and have
4 attached my current patch against a recent CVS tree. The details of
5 this implementation are:
7 1. The SSL code is added as a "layer" that is forked into its own
10 2. An SSL connection is established by the client issuing the
15 And, if the daemon allows SSL, it replies with
19 At which point both sides begin negotiating the SSL connection.
20 Servers that can't or don't want to use SSL just treat it as a
21 normal unknown command.
23 3. The SSL code is meant to be unobtrusive, and when this patch is
24 applied the program may still be built with no SSL code.
26 4. There are a number of details not implemented.
28 All warnings apply; I don't do C programming all that often, so I
29 can't say if I've left any cleanup/compatibility errors in the code.
31 To use this patch, run these commands for a successful build:
33 patch -p1 <patches/openssl-support.diff
38 diff --git a/Makefile.in b/Makefile.in
39 index feacb90..3016643 100644
42 @@ -41,7 +41,7 @@ OBJS3=progress.o pipe.o
43 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
44 popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
45 popt/popthelp.o popt/poptparse.o
46 -OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@
47 +OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ @SSL_OBJS@
49 TLS_OBJ = tls.o syscall.o lib/compat.o lib/snprintf.o lib/permstring.o lib/sysxattrs.o @BUILD_POPT@
51 diff --git a/cleanup.c b/cleanup.c
52 index 19ef072..506f575 100644
62 extern int keep_partial;
63 extern int got_xfer_error;
64 extern int output_needs_newline;
65 @@ -127,6 +130,14 @@ NORETURN void _exit_cleanup(int code, const char *file, int line)
80 diff --git a/clientserver.c b/clientserver.c
81 index b6afe00..5467c72 100644
84 @@ -30,6 +30,9 @@ extern int am_sender;
91 extern int rsync_port;
92 extern int protect_args;
93 extern int ignore_errors;
94 @@ -134,8 +137,18 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[],
97 ret = start_inband_exchange(fd, fd, user, remote_argc, remote_argv);
103 + int f_in = get_tls_rfd();
104 + int f_out = get_tls_wfd();
105 + return client_run(f_in, f_out, -1, argc, argv);
109 - return ret ? ret : client_run(fd, fd, -1, argc, argv);
110 + return client_run(fd, fd, -1, argc, argv);
113 static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client)
114 @@ -278,6 +291,32 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
115 if (DEBUG_GTE(CMD, 1))
116 print_child_argv("sending daemon args:", sargs);
120 + io_printf(f_out, "#starttls\n");
122 + if (!read_line_old(f_in, line, sizeof line)) {
123 + rprintf(FERROR, "rsync: did not receive reply to #starttls\n");
126 + if (strncmp(line, "@ERROR", 6) == 0) {
127 + rprintf(FERROR, "%s\n", line);
130 + if (strcmp(line, "@RSYNCD: starttls") == 0)
132 + rprintf(FINFO, "%s\n", line);
134 + if (start_tls(f_in, f_out)) {
135 + rprintf(FERROR, "rsync: error during SSL handshake: %s\n",
139 + f_in = get_tls_rfd();
140 + f_out = get_tls_wfd();
144 io_printf(f_out, "%.*s\n", modlen, modname);
146 /* Old servers may just drop the connection here,
147 @@ -303,6 +342,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
148 * server to terminate the listing of modules.
149 * We don't want to go on and transfer
150 * anything; just exit. */
158 @@ -310,6 +353,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
159 rprintf(FERROR, "%s\n", line);
160 /* This is always fatal; the server will now
161 * close the socket. */
169 @@ -1022,6 +1069,9 @@ int start_daemon(int f_in, int f_out)
170 if (exchange_protocols(f_in, f_out, line, sizeof line, 0) < 0)
177 if (!read_line_old(f_in, line, sizeof line))
179 @@ -1033,6 +1083,20 @@ int start_daemon(int f_in, int f_out)
184 + if (use_ssl && strcmp(line, "#starttls") == 0) {
185 + io_printf(f_out, "@RSYNCD: starttls\n");
186 + if (start_tls(f_in, f_out)) {
187 + rprintf(FLOG, "SSL connection failed: %s\n",
191 + f_in = get_tls_rfd();
192 + f_out = get_tls_wfd();
198 /* it's some sort of command that I don't understand */
199 io_printf(f_out, "@ERROR: Unknown command '%s'\n", line);
200 diff --git a/configure.in b/configure.in
201 index bc7d4a7..73ca6c5 100644
204 @@ -293,6 +293,21 @@ if test x"$enable_locale" != x"no"; then
205 AC_DEFINE(CONFIG_LOCALE)
208 +AC_ARG_ENABLE(openssl,
209 + AC_HELP_STRING([--enable-openssl], [compile SSL support with OpenSSL.]))
211 +if test "x$enable_openssl" != xno
214 + AC_CHECK_LIB(ssl, SSL_library_init, , [have_ssl=no])
215 + if test "x$have_ssl" = xyes
217 + AC_DEFINE(HAVE_OPENSSL, 1, [true if you want to use SSL.])
223 AC_MSG_CHECKING([whether to call shutdown on all sockets])
225 *cygwin* ) AC_MSG_RESULT(yes)
226 diff --git a/options.c b/options.c
227 index e7c6c61..634b89e 100644
230 @@ -191,6 +191,14 @@ int logfile_format_has_o_or_i = 0;
231 int always_checksum = 0;
236 +char *ssl_cert_path = NULL;
237 +char *ssl_key_path = NULL;
238 +char *ssl_key_passwd = NULL;
239 +char *ssl_ca_path = NULL;
242 #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */
243 char *batch_name = NULL;
245 @@ -566,6 +574,7 @@ static void print_rsync_version(enum logcode f)
246 char const *links = "no ";
247 char const *iconv = "no ";
248 char const *ipv6 = "no ";
249 + char const *ssl = "no ";
250 STRUCT_STAT *dumstat;
252 #if SUBPROTOCOL_VERSION != 0
253 @@ -599,6 +608,9 @@ static void print_rsync_version(enum logcode f)
254 #if defined HAVE_LUTIMES && defined HAVE_UTIMES
261 rprintf(f, "%s version %s protocol version %d%s\n",
262 RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol);
263 @@ -612,8 +624,8 @@ static void print_rsync_version(enum logcode f)
264 (int)(sizeof (int64) * 8));
265 rprintf(f, " %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n",
266 got_socketpair, hardlinks, links, ipv6, have_inplace);
267 - rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes\n",
268 - have_inplace, acls, xattrs, iconv, symtimes);
269 + rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes, %sSSL\n",
270 + have_inplace, acls, xattrs, iconv, symtimes, ssl);
272 #ifdef MAINTAINER_MODE
273 rprintf(f, "Panic Action: \"%s\"\n", get_panic_action());
274 @@ -784,6 +796,13 @@ void usage(enum logcode F)
276 rprintf(F," -4, --ipv4 prefer IPv4\n");
277 rprintf(F," -6, --ipv6 prefer IPv6\n");
279 + rprintf(F," --ssl allow socket connections to use SSL\n");
280 + rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n");
281 + rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n");
282 + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n");
283 + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n");
285 rprintf(F," --version print version number\n");
286 rprintf(F,"(-h) --help show this help (-h works with no other options)\n");
288 @@ -798,7 +817,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM,
289 OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD,
290 OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE,
291 OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, OPT_INFO, OPT_DEBUG,
292 - OPT_USERMAP, OPT_GROUPMAP, OPT_CHOWN,
293 + OPT_USERMAP, OPT_GROUPMAP, OPT_CHOWN, OPT_USE_SSL,
294 OPT_SERVER, OPT_REFUSED_BASE = 9000};
296 static struct poptOption long_options[] = {
297 @@ -1012,6 +1031,13 @@ static struct poptOption long_options[] = {
298 {"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 },
299 {"server", 0, POPT_ARG_NONE, 0, OPT_SERVER, 0, 0 },
300 {"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 },
302 + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0},
303 + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
304 + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
305 + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
306 + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
308 /* All the following options switch us into daemon-mode option-parsing. */
309 {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
310 {"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 },
311 @@ -1039,6 +1065,13 @@ static void daemon_usage(enum logcode F)
312 rprintf(F," -v, --verbose increase verbosity\n");
313 rprintf(F," -4, --ipv4 prefer IPv4\n");
314 rprintf(F," -6, --ipv6 prefer IPv6\n");
316 + rprintf(F," --ssl allow socket connections to use SSL\n");
317 + rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n");
318 + rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n");
319 + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n");
320 + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n");
322 rprintf(F," --help show this help screen\n");
325 @@ -1064,6 +1097,13 @@ static struct poptOption long_daemon_options[] = {
326 {"protocol", 0, POPT_ARG_INT, &protocol_version, 0, 0, 0 },
327 {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 },
328 {"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 },
330 + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0},
331 + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
332 + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
333 + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
334 + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
336 {"verbose", 'v', POPT_ARG_NONE, 0, 'v', 0, 0 },
337 {"no-verbose", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 },
338 {"no-v", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 },
339 @@ -1358,6 +1398,12 @@ int parse_arguments(int *argc_p, const char ***argv_p)
351 "rsync: %s: %s (in daemon mode)\n",
352 @@ -1384,6 +1430,17 @@ int parse_arguments(int *argc_p, const char ***argv_p)
353 exit_cleanup(RERR_SYNTAX);
359 + snprintf(err_buf, sizeof(err_buf),
360 + "Openssl error: %s\n",
367 *argv_p = argv = poptGetArgs(pc);
368 *argc_p = argc = count_args(argv);
370 @@ -1742,6 +1799,12 @@ int parse_arguments(int *argc_p, const char ***argv_p)
381 /* A large opt value means that set_refuse_options()
382 * turned this option off. */
383 @@ -2108,6 +2171,17 @@ int parse_arguments(int *argc_p, const char ***argv_p)
384 if (delay_updates && !partial_dir)
385 partial_dir = tmp_partialdir;
390 + snprintf(err_buf, sizeof(err_buf),
391 + "Openssl error: %s\n",
399 #ifdef HAVE_FTRUNCATE
401 @@ -2698,9 +2772,18 @@ char *check_for_hostspec(char *s, char **host_ptr, int *port_ptr)
405 - if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) {
406 - *host_ptr = parse_hostspec(s + strlen(URL_PREFIX), &path, port_ptr);
409 + int url_prefix_len;
410 + if (strncasecmp(URL_PREFIX, s, sizeof URL_PREFIX - 1) == 0)
411 + url_prefix_len = sizeof URL_PREFIX - 1;
412 + else if (strncasecmp(SSL_URL_PREFIX, s, sizeof SSL_URL_PREFIX - 1) == 0) {
416 + url_prefix_len = sizeof SSL_URL_PREFIX - 1;
418 + url_prefix_len = 0;
419 + if (url_prefix_len && (*host_ptr = parse_hostspec(s + url_prefix_len, &path, port_ptr))) {
421 *port_ptr = RSYNC_PORT;
423 diff --git a/rsync.h b/rsync.h
424 index be7cf8a..7b7cc88 100644
429 #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
430 #define URL_PREFIX "rsync://"
431 +#define SSL_URL_PREFIX "rsyncs://"
433 #define SYMLINK_PREFIX "/rsyncd-munged/" /* This MUST have a trailing slash! */
434 #define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1)
435 @@ -569,6 +570,11 @@ typedef unsigned int size_t;
436 # define SIZEOF_INT64 SIZEOF_OFF_T
440 +#include <openssl/ssl.h>
441 +#include <openssl/err.h>
447 diff --git a/ssl.c b/ssl.c
449 index 0000000..f0d4d9f
453 +/* -*- c-file-style: "linux" -*-
454 + * ssl.c: operations for negotiating SSL rsync connections.
456 + * Copyright (C) 2003 Casey Marshall <rsdio@metastatic.org>
458 + * This program is free software; you can redistribute it and/or modify
459 + * it under the terms of the GNU General Public License as published by
460 + * the Free Software Foundation; either version 2 of the License, or
461 + * (at your option) any later version.
463 + * This program is distributed in the hope that it will be useful,
464 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
465 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
466 + * GNU General Public License for more details.
468 + * You should have received a copy of the GNU General Public License
469 + * along with this program; if not, write to the Free Software
470 + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
475 +#ifdef HAVE_SYS_SELECT_H
476 +#include <sys/select.h>
478 +#include <sys/time.h>
479 +#include <sys/types.h>
484 +#define BUF_SIZE 1024
486 +extern int am_daemon;
487 +extern int am_server;
489 +extern char *ssl_cert_path;
490 +extern char *ssl_key_path;
491 +extern char *ssl_key_passwd;
492 +extern char *ssl_ca_path;
494 +static SSL_CTX *ssl_ctx;
496 +static int tls_read[2] = { -1, -1 };
497 +static int tls_write[2] = { -1, -1 };
498 +static int ssl_running;
499 +static int ssl_pid = -1;
501 +#ifdef HAVE_SIGACTION
502 +static struct sigaction sigact;
506 + * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb,
507 + * which merely copies the value of ssl_key_passwd into buf. This is
508 + * used for when the private key password is supplied via an option.
510 +static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u))
512 + if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd))
514 + strncpy(buf, ssl_key_passwd, n-1);
515 + return strlen(ssl_key_passwd);
519 + * If verbose, this method traces the status of the SSL handshake.
521 +static void info_callback(const SSL *ssl, int cb, int val)
528 + cbs = "SSL_CB_LOOP";
531 + cbs = "SSL_CB_EXIT";
534 + cbs = "SSL_CB_READ";
537 + cbs = "SSL_CB_WRITE";
540 + cbs = "SSL_CB_ALERT";
542 + case SSL_CB_READ_ALERT:
543 + cbs = "SSL_CB_READ_ALERT";
545 + case SSL_CB_WRITE_ALERT:
546 + cbs = "SSL_CB_WRITE_ALERT";
548 + case SSL_CB_ACCEPT_LOOP:
549 + cbs = "SSL_CB_ACCEPT_LOOP";
551 + case SSL_CB_ACCEPT_EXIT:
552 + cbs = "SSL_CB_ACCEPT_EXIT";
554 + case SSL_CB_CONNECT_LOOP:
555 + cbs = "SSL_CB_CONNECT_LOOP";
557 + case SSL_CB_CONNECT_EXIT:
558 + cbs = "SSL_CB_CONNECT_EXIT";
560 + case SSL_CB_HANDSHAKE_START:
561 + cbs = "SSL_CB_HANDSHAKE_START";
563 + case SSL_CB_HANDSHAKE_DONE:
564 + cbs = "SSL_CB_HANDSHAKE_DONE";
567 + snprintf(buf, sizeof buf, "??? (%d)", cb);
571 + if (DEBUG_GTE(CONNECT, 1)) {
572 + rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val);
573 + if (cb == SSL_CB_HANDSHAKE_DONE) {
574 + SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl),
576 + rprintf(FLOG, "SSL: cipher: %s", buf);
582 + * Initializes the SSL context for TLSv1 connections; returns zero on
589 + SSL_library_init();
590 + SSL_load_error_strings();
591 + ssl_ctx = SSL_CTX_new(TLSv1_method());
594 + SSL_CTX_set_info_callback(ssl_ctx, info_callback);
596 + /* Sets the certificate sent to the other party. */
597 + if (ssl_cert_path != NULL
598 + && SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_path,
599 + SSL_FILETYPE_PEM) != 1)
601 + /* Set up the simple non-interactive callback if the password
602 + * was supplied on the command line. */
603 + if (ssl_key_passwd != NULL)
604 + SSL_CTX_set_default_passwd_cb(ssl_ctx, default_password_cb);
605 + /* Sets the private key that matches the public certificate. */
606 + if (ssl_key_path != NULL) {
607 + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_key_path,
608 + SSL_FILETYPE_PEM) != 1)
610 + if (SSL_CTX_check_private_key(ssl_ctx) != 1)
613 + if (ssl_ca_path != NULL
614 + && !SSL_CTX_load_verify_locations(ssl_ctx, ssl_ca_path, NULL))
621 + * Returns the error string for the current SSL error, if any.
623 +char *get_ssl_error(void)
625 + return ERR_error_string(ERR_get_error(), NULL);
629 + * Returns the input file descriptor for the SSL connection.
631 +int get_tls_rfd(void)
633 + return tls_read[0];
637 + * Returns the output file descriptor for the SSL connection.
639 +int get_tls_wfd(void)
641 + return tls_write[1];
645 + * Signal handler that ends the SSL connection.
647 +static RETSIGTYPE tls_sigusr1(int UNUSED(val))
658 + * Negotiates the TLS connection, creates a socket pair for communicating
659 + * with the rsync process, then forks into a new process that will handle
660 + * the communication.
662 + * 0 is returned on success.
664 +int start_tls(int f_in, int f_out)
668 + unsigned char buf1[BUF_SIZE], buf2[BUF_SIZE];
669 + int avail1 = 0, avail2 = 0, write1 = 0, write2 = 0;
672 + if (fd_pair(tls_read))
674 + if (fd_pair(tls_write))
677 + set_blocking(tls_read[0]);
678 + set_blocking(tls_read[1]);
679 + set_blocking(tls_write[0]);
680 + set_blocking(tls_write[1]);
681 + set_blocking(f_in);
682 + set_blocking(f_out);
684 + ssl_pid = do_fork();
687 + if (ssl_pid != 0) {
688 + close(tls_write[0]);
689 + close(tls_read[1]);
693 + SIGACTION(SIGUSR1, tls_sigusr1);
694 + ssl = SSL_new(ssl_ctx);
697 + if (am_daemon || am_server)
698 + SSL_set_accept_state(ssl);
700 + SSL_set_connect_state(ssl);
701 + SSL_set_rfd(ssl, f_in);
702 + SSL_set_wfd(ssl, f_out);
704 + tls_fd = SSL_get_fd(ssl);
706 + n = MAX(tls_read[1], n);
707 + n = MAX(tls_fd, n) + 1;
710 + while (ssl_running) {
713 + FD_SET(tls_write[0], &rd);
714 + FD_SET(tls_read[1], &wd);
715 + FD_SET(tls_fd, &rd);
716 + FD_SET(tls_fd, &wd);
718 + r = select(n, &rd, &wd, NULL, NULL);
720 + if (r == -1 && errno == EINTR)
722 + if (FD_ISSET(tls_write[0], &rd)) {
723 + r = read(tls_write[0], buf1+avail1, BUF_SIZE-avail1);
727 + rprintf(FERROR, "pipe read error: %s\n",
732 + if (FD_ISSET(tls_fd, &rd)) {
733 + r = SSL_read(ssl, buf2+avail2, BUF_SIZE-avail2);
737 + switch (SSL_get_error(ssl, r)) {
738 + case SSL_ERROR_ZERO_RETURN:
740 + case SSL_ERROR_WANT_READ:
741 + case SSL_ERROR_WANT_WRITE:
743 + case SSL_ERROR_SYSCALL:
745 + rprintf(FERROR, "SSL spurious EOF\n");
747 + rprintf(FERROR, "SSL I/O error: %s\n",
750 + case SSL_ERROR_SSL:
751 + rprintf(FERROR, "SSL: %s\n",
752 + ERR_error_string(ERR_get_error(), NULL));
755 + rprintf(FERROR, "unexpected ssl error %d\n", r);
760 + if (FD_ISSET(tls_read[1], &wd) && write2 < avail2) {
761 + r = write(tls_read[1], buf2+write2, avail2-write2);
765 + rprintf(FERROR, "pipe write error: %s\n",
770 + if (FD_ISSET(tls_fd, &wd) && write1 < avail1) {
771 + r = SSL_write(ssl, buf1+write1, avail1-write1);
775 + switch (SSL_get_error(ssl, r)) {
776 + case SSL_ERROR_ZERO_RETURN:
778 + case SSL_ERROR_WANT_READ:
779 + case SSL_ERROR_WANT_WRITE:
781 + case SSL_ERROR_SYSCALL:
783 + rprintf(FERROR, "SSL: spurious EOF\n");
785 + rprintf(FERROR, "SSL: I/O error: %s\n",
788 + case SSL_ERROR_SSL:
789 + rprintf(FERROR, "SSL: %s\n",
790 + ERR_error_string(ERR_get_error(), NULL));
793 + rprintf(FERROR, "unexpected ssl error %d\n", r);
798 + if (avail1 == write1)
799 + avail1 = write1 = 0;
800 + if (avail2 == write2)
801 + avail2 = write2 = 0;
804 + /* XXX I'm pretty sure that there is a lot that I am not considering
805 + here. Bugs? Yes, probably. */
807 + /* We're finished. */
809 + close(tls_read[1]);
810 + close(tls_write[0]);
815 + * Ends the TLS connection.
820 + kill(ssl_pid, SIGUSR1);