Casey Marshall wrote: I've been hacking together a way to use rsync with OpenSSL, and have attached my current patch against a recent CVS tree. The details of this implementation are: 1. The SSL code is added as a "layer" that is forked into its own process. 2. An SSL connection is established by the client issuing the command: #starttls And, if the daemon allows SSL, it replies with @RSYNCD: starttls At which point both sides begin negotiating the SSL connection. Servers that can't or don't want to use SSL just treat it as a normal unknown command. 3. The SSL code is meant to be unobtrusive, and when this patch is applied the program may still be built with no SSL code. 4. There are a number of details not implemented. All warnings apply; I don't do C programming all that often, so I can't say if I've left any cleanup/compatibility errors in the code. To use this patch, run these commands for a successful build: patch -p1 1) print_child_argv("sending daemon args:", sargs); +#ifdef HAVE_OPENSSL + if (use_ssl) { + io_printf(f_out, "#starttls\n"); + while (1) { + if (!read_line_old(f_in, line, sizeof line)) { + rprintf(FERROR, "rsync: did not receive reply to #starttls\n"); + return -1; + } + if (strncmp(line, "@ERROR", 6) == 0) { + rprintf(FERROR, "%s\n", line); + return -1; + } + if (strcmp(line, "@RSYNCD: starttls") == 0) + break; + rprintf(FINFO, "%s\n", line); + } + if (start_tls(f_in, f_out)) { + rprintf(FERROR, "rsync: error during SSL handshake: %s\n", + get_ssl_error()); + return -1; + } + f_in = get_tls_rfd(); + f_out = get_tls_wfd(); + } +#endif + io_printf(f_out, "%.*s\n", modlen, modname); /* Old servers may just drop the connection here, @@ -297,6 +336,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char * server to terminate the listing of modules. * We don't want to go on and transfer * anything; just exit. */ +#ifdef HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif exit(0); } @@ -304,6 +347,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char rprintf(FERROR, "%s\n", line); /* This is always fatal; the server will now * close the socket. */ +#ifdef HAVE_OPENSSL + if (use_ssl) + end_tls(); +#endif return -1; } @@ -934,6 +981,9 @@ int start_daemon(int f_in, int f_out) if (exchange_protocols(f_in, f_out, line, sizeof line, 0) < 0) return -1; +#ifdef HAVE_OPENSSL +retry: +#endif line[0] = 0; if (!read_line_old(f_in, line, sizeof line)) return -1; @@ -945,6 +995,20 @@ int start_daemon(int f_in, int f_out) return -1; } +#ifdef HAVE_OPENSSL + if (use_ssl && strcmp(line, "#starttls") == 0) { + io_printf(f_out, "@RSYNCD: starttls\n"); + if (start_tls(f_in, f_out)) { + rprintf(FLOG, "SSL connection failed: %s\n", + get_ssl_error()); + return -1; + } + f_in = get_tls_rfd(); + f_out = get_tls_wfd(); + goto retry; + } +#endif + if (*line == '#') { /* it's some sort of command that I don't understand */ io_printf(f_out, "@ERROR: Unknown command '%s'\n", line); diff --git a/configure.in b/configure.in --- a/configure.in +++ b/configure.in @@ -295,6 +295,21 @@ if test x"$enable_locale" != x"no"; then AC_DEFINE(CONFIG_LOCALE) fi +AC_ARG_ENABLE(openssl, + AC_HELP_STRING([--enable-openssl], [compile SSL support with OpenSSL.])) + +if test "x$enable_openssl" != xno +then + have_ssl=yes + AC_CHECK_LIB(ssl, SSL_library_init, , [have_ssl=no]) + if test "x$have_ssl" = xyes + then + AC_DEFINE(HAVE_OPENSSL, 1, [true if you want to use SSL.]) + SSL_OBJS=ssl.o + AC_SUBST(SSL_OBJS) + fi +fi + AC_MSG_CHECKING([whether to call shutdown on all sockets]) case $host_os in *cygwin* ) AC_MSG_RESULT(yes) diff --git a/options.c b/options.c --- a/options.c +++ b/options.c @@ -185,6 +185,14 @@ int logfile_format_has_o_or_i = 0; int always_checksum = 0; int list_only = 0; +#ifdef HAVE_OPENSSL +int use_ssl = 0; +char *ssl_cert_path = NULL; +char *ssl_key_path = NULL; +char *ssl_key_passwd = NULL; +char *ssl_ca_path = NULL; +#endif + #define MAX_BATCH_NAME_LEN 256 /* Must be less than MAXPATHLEN-13 */ char *batch_name = NULL; @@ -225,6 +233,7 @@ static void print_rsync_version(enum logcode f) char const *links = "no "; char const *iconv = "no "; char const *ipv6 = "no "; + char const *ssl = "no "; STRUCT_STAT *dumstat; #if SUBPROTOCOL_VERSION != 0 @@ -258,6 +267,9 @@ static void print_rsync_version(enum logcode f) #if defined HAVE_LUTIMES && defined HAVE_UTIMES symtimes = ""; #endif +#ifdef HAVE_OPENSSL + ssl = ""; +#endif rprintf(f, "%s version %s protocol version %d%s\n", RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol); @@ -271,8 +283,8 @@ static void print_rsync_version(enum logcode f) (int)(sizeof (int64) * 8)); rprintf(f, " %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n", got_socketpair, hardlinks, links, ipv6, have_inplace); - rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes\n", - have_inplace, acls, xattrs, iconv, symtimes); + rprintf(f, " %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes, %sSSL\n", + have_inplace, acls, xattrs, iconv, symtimes, ssl); #ifdef MAINTAINER_MODE rprintf(f, "Panic Action: \"%s\"\n", get_panic_action()); @@ -434,6 +446,13 @@ void usage(enum logcode F) #endif rprintf(F," -4, --ipv4 prefer IPv4\n"); rprintf(F," -6, --ipv6 prefer IPv6\n"); +#ifdef HAVE_OPENSSL + rprintf(F," --ssl allow socket connections to use SSL\n"); + rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); + rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); +#endif rprintf(F," --version print version number\n"); rprintf(F,"(-h) --help show this help (-h works with no other options)\n"); @@ -447,7 +466,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM, OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP, OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD, OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE, - OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, + OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, OPT_USE_SSL, OPT_SERVER, OPT_REFUSED_BASE = 9000}; static struct poptOption long_options[] = { @@ -650,6 +669,13 @@ static struct poptOption long_options[] = { {"checksum-seed", 0, POPT_ARG_INT, &checksum_seed, 0, 0, 0 }, {"server", 0, POPT_ARG_NONE, 0, OPT_SERVER, 0, 0 }, {"sender", 0, POPT_ARG_NONE, 0, OPT_SENDER, 0, 0 }, +#ifdef HAVE_OPENSSL + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, +#endif /* All the following options switch us into daemon-mode option-parsing. */ {"config", 0, POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 }, {"daemon", 0, POPT_ARG_NONE, 0, OPT_DAEMON, 0, 0 }, @@ -675,6 +701,13 @@ static void daemon_usage(enum logcode F) rprintf(F," -v, --verbose increase verbosity\n"); rprintf(F," -4, --ipv4 prefer IPv4\n"); rprintf(F," -6, --ipv6 prefer IPv6\n"); +#ifdef HAVE_OPENSSL + rprintf(F," --ssl allow socket connections to use SSL\n"); + rprintf(F," --ssl-cert=FILE path to daemon's SSL certificate\n"); + rprintf(F," --ssl-key=FILE path to daemon's SSL private key\n"); + rprintf(F," --ssl-key-passwd=PASS password for PEM-encoded private key\n"); + rprintf(F," --ssl-ca-certs=FILE path to trusted CA certificates\n"); +#endif rprintf(F," --help show this help screen\n"); rprintf(F,"\n"); @@ -699,6 +732,13 @@ static struct poptOption long_daemon_options[] = { {"protocol", 0, POPT_ARG_INT, &protocol_version, 0, 0, 0 }, {"server", 0, POPT_ARG_NONE, &am_server, 0, 0, 0 }, {"temp-dir", 'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 }, +#ifdef HAVE_OPENSSL + {"ssl", 0, POPT_ARG_NONE, 0, OPT_USE_SSL, 0, 0}, + {"ssl-cert", 0, POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0}, + {"ssl-key", 0, POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0}, + {"ssl-key-passwd", 0, POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0}, + {"ssl-ca-certs", 0, POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0}, +#endif {"verbose", 'v', POPT_ARG_NONE, 0, 'v', 0, 0 }, {"no-verbose", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, {"no-v", 0, POPT_ARG_VAL, &verbose, 0, 0, 0 }, @@ -980,6 +1020,12 @@ int parse_arguments(int *argc_p, const char ***argv_p) verbose++; break; +#ifdef HAVE_OPENSSL + case OPT_USE_SSL: + use_ssl = 1; + break; +#endif + default: rprintf(FERROR, "rsync: %s: %s (in daemon mode)\n", @@ -1003,6 +1049,17 @@ int parse_arguments(int *argc_p, const char ***argv_p) exit_cleanup(RERR_SYNTAX); } +#ifdef HAVE_OPENSSL + if (use_ssl) { + if (init_tls()) { + snprintf(err_buf, sizeof(err_buf), + "Openssl error: %s\n", + get_ssl_error()); + return 0; + } + } +#endif + *argv_p = argv = poptGetArgs(pc); *argc_p = argc = count_args(argv); am_starting_up = 0; @@ -1261,6 +1318,12 @@ int parse_arguments(int *argc_p, const char ***argv_p) return 0; #endif +#ifdef HAVE_OPENSSL + case OPT_USE_SSL: + use_ssl = 1; + break; +#endif + default: /* A large opt value means that set_refuse_options() * turned this option off. */ @@ -1594,6 +1657,17 @@ int parse_arguments(int *argc_p, const char ***argv_p) if (delay_updates && !partial_dir) partial_dir = tmp_partialdir; +#ifdef HAVE_OPENSSL + if (use_ssl) { + if (init_tls()) { + snprintf(err_buf, sizeof(err_buf), + "Openssl error: %s\n", + get_ssl_error()); + return 0; + } + } +#endif + if (inplace) { #ifdef HAVE_FTRUNCATE if (partial_dir) { @@ -2087,10 +2161,27 @@ char *check_for_hostspec(char *s, char **host_ptr, int *port_ptr) char *p; int not_host; int hostlen; - - if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) { + int url_prefix_len = sizeof URL_PREFIX - 1; + + if (!port_ptr) + url_prefix_len = 0; + else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) { +#ifdef HAVE_OPENSSL + url_prefix_len = sizeof SSL_URL_PREFIX - 1; + if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0) + url_prefix_len = 0; + else { + if (!use_ssl) + init_tls(); + use_ssl = 1; + } +#else + url_prefix_len = 0; +#endif + } + if (url_prefix_len) { char *path; - s += strlen(URL_PREFIX); + s += url_prefix_len; if ((p = strchr(s, '/')) != NULL) { hostlen = p - s; path = p + 1; diff --git a/rsync.h b/rsync.h --- a/rsync.h +++ b/rsync.h @@ -31,6 +31,7 @@ #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock" #define URL_PREFIX "rsync://" +#define SSL_URL_PREFIX "rsyncs://" #define SYMLINK_PREFIX "/rsyncd-munged/" #define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1) @@ -549,6 +550,11 @@ typedef unsigned int size_t; # define SIZEOF_INT64 SIZEOF_OFF_T #endif +#ifdef HAVE_OPENSSL +#include +#include +#endif + struct hashtable { void *nodes; int32 size, entries; diff --git a/ssl.c b/ssl.c new file mode 100644 --- /dev/null +++ b/ssl.c @@ -0,0 +1,370 @@ +/* -*- c-file-style: "linux" -*- + * ssl.c: operations for negotiating SSL rsync connections. + * + * Copyright (C) 2003 Casey Marshall + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "rsync.h" + +#ifdef HAVE_SYS_SELECT_H +#include +#else +#include +#include +#include +#endif +#include + +#define BUF_SIZE 1024 + +extern int verbose; +extern int am_daemon; +extern int am_server; + +extern char *ssl_cert_path; +extern char *ssl_key_path; +extern char *ssl_key_passwd; +extern char *ssl_ca_path; + +static SSL_CTX *ssl_ctx; +static SSL *ssl; +static int tls_read[2] = { -1, -1 }; +static int tls_write[2] = { -1, -1 }; +static int ssl_running; +static int ssl_pid = -1; + +#ifdef HAVE_SIGACTION +static struct sigaction sigact; +#endif + +/** + * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb, + * which merely copies the value of ssl_key_passwd into buf. This is + * used for when the private key password is supplied via an option. + */ +static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u)) +{ + if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd)) + return 0; + strncpy(buf, ssl_key_passwd, n-1); + return strlen(ssl_key_passwd); +} + +/** + * If verbose, this method traces the status of the SSL handshake. + */ +static void info_callback(const SSL *ssl, int cb, int val) +{ + char buf[128]; + char *cbs; + + switch (cb) { + case SSL_CB_LOOP: + cbs = "SSL_CB_LOOP"; + break; + case SSL_CB_EXIT: + cbs = "SSL_CB_EXIT"; + break; + case SSL_CB_READ: + cbs = "SSL_CB_READ"; + break; + case SSL_CB_WRITE: + cbs = "SSL_CB_WRITE"; + break; + case SSL_CB_ALERT: + cbs = "SSL_CB_ALERT"; + break; + case SSL_CB_READ_ALERT: + cbs = "SSL_CB_READ_ALERT"; + break; + case SSL_CB_WRITE_ALERT: + cbs = "SSL_CB_WRITE_ALERT"; + break; + case SSL_CB_ACCEPT_LOOP: + cbs = "SSL_CB_ACCEPT_LOOP"; + break; + case SSL_CB_ACCEPT_EXIT: + cbs = "SSL_CB_ACCEPT_EXIT"; + break; + case SSL_CB_CONNECT_LOOP: + cbs = "SSL_CB_CONNECT_LOOP"; + break; + case SSL_CB_CONNECT_EXIT: + cbs = "SSL_CB_CONNECT_EXIT"; + break; + case SSL_CB_HANDSHAKE_START: + cbs = "SSL_CB_HANDSHAKE_START"; + break; + case SSL_CB_HANDSHAKE_DONE: + cbs = "SSL_CB_HANDSHAKE_DONE"; + break; + default: + snprintf(buf, sizeof buf, "??? (%d)", cb); + cbs = buf; + break; + } + if (verbose > 2) { + rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val); + if (cb == SSL_CB_HANDSHAKE_DONE) { + SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl), + buf, sizeof buf); + rprintf(FLOG, "SSL: cipher: %s", buf); + } + } +} + +/** + * Initializes the SSL context for TLSv1 connections; returns zero on + * success. + */ +int init_tls(void) +{ + if (ssl_ctx) + return 0; + SSL_library_init(); + SSL_load_error_strings(); + ssl_ctx = SSL_CTX_new(TLSv1_method()); + if (!ssl_ctx) + return 1; + SSL_CTX_set_info_callback(ssl_ctx, info_callback); + + /* Sets the certificate sent to the other party. */ + if (ssl_cert_path != NULL + && SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_path, + SSL_FILETYPE_PEM) != 1) + return 1; + /* Set up the simple non-interactive callback if the password + * was supplied on the command line. */ + if (ssl_key_passwd != NULL) + SSL_CTX_set_default_passwd_cb(ssl_ctx, default_password_cb); + /* Sets the private key that matches the public certificate. */ + if (ssl_key_path != NULL) { + if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_key_path, + SSL_FILETYPE_PEM) != 1) + return 1; + if (SSL_CTX_check_private_key(ssl_ctx) != 1) + return 1; + } + if (ssl_ca_path != NULL + && !SSL_CTX_load_verify_locations(ssl_ctx, ssl_ca_path, NULL)) + return 1; + + return 0; +} + +/** + * Returns the error string for the current SSL error, if any. + */ +char *get_ssl_error(void) +{ + return ERR_error_string(ERR_get_error(), NULL); +} + +/** + * Returns the input file descriptor for the SSL connection. + */ +int get_tls_rfd(void) +{ + return tls_read[0]; +} + +/** + * Returns the output file descriptor for the SSL connection. + */ +int get_tls_wfd(void) +{ + return tls_write[1]; +} + +/** + * Signal handler that ends the SSL connection. + */ +static RETSIGTYPE tls_sigusr1(int UNUSED(val)) +{ + if (ssl) { + SSL_shutdown(ssl); + SSL_free(ssl); + ssl = NULL; + } + ssl_running = 0; +} + +/** + * Negotiates the TLS connection, creates a socket pair for communicating + * with the rsync process, then forks into a new process that will handle + * the communication. + * + * 0 is returned on success. + */ +int start_tls(int f_in, int f_out) +{ + int tls_fd; + int n = 0, r; + unsigned char buf1[BUF_SIZE], buf2[BUF_SIZE]; + int avail1 = 0, avail2 = 0, write1 = 0, write2 = 0; + fd_set rd, wd; + + if (fd_pair(tls_read)) + return 1; + if (fd_pair(tls_write)) + return 1; + + set_blocking(tls_read[0]); + set_blocking(tls_read[1]); + set_blocking(tls_write[0]); + set_blocking(tls_write[1]); + set_blocking(f_in); + set_blocking(f_out); + + ssl_pid = do_fork(); + if (ssl_pid < 0) + return -1; + if (ssl_pid != 0) { + close(tls_write[0]); + close(tls_read[1]); + return 0; + } + + SIGACTION(SIGUSR1, tls_sigusr1); + ssl = SSL_new(ssl_ctx); + if (!ssl) + goto closed; + if (am_daemon || am_server) + SSL_set_accept_state(ssl); + else + SSL_set_connect_state(ssl); + SSL_set_rfd(ssl, f_in); + SSL_set_wfd(ssl, f_out); + + tls_fd = SSL_get_fd(ssl); + n = tls_write[0]; + n = MAX(tls_read[1], n); + n = MAX(tls_fd, n) + 1; + + ssl_running = 1; + while (ssl_running) { + FD_ZERO(&rd); + FD_ZERO(&wd); + FD_SET(tls_write[0], &rd); + FD_SET(tls_read[1], &wd); + FD_SET(tls_fd, &rd); + FD_SET(tls_fd, &wd); + + r = select(n, &rd, &wd, NULL, NULL); + + if (r == -1 && errno == EINTR) + continue; + if (FD_ISSET(tls_write[0], &rd)) { + r = read(tls_write[0], buf1+avail1, BUF_SIZE-avail1); + if (r >= 0) + avail1 += r; + else { + rprintf(FERROR, "pipe read error: %s\n", + strerror(errno)); + break; + } + } + if (FD_ISSET(tls_fd, &rd)) { + r = SSL_read(ssl, buf2+avail2, BUF_SIZE-avail2); + if (r > 0) + avail2 += r; + else { + switch (SSL_get_error(ssl, r)) { + case SSL_ERROR_ZERO_RETURN: + goto closed; + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + break; + case SSL_ERROR_SYSCALL: + if (r == 0) + rprintf(FERROR, "SSL spurious EOF\n"); + else + rprintf(FERROR, "SSL I/O error: %s\n", + strerror(errno)); + goto closed; + case SSL_ERROR_SSL: + rprintf(FERROR, "SSL: %s\n", + ERR_error_string(ERR_get_error(), NULL)); + goto closed; + default: + rprintf(FERROR, "unexpected ssl error %d\n", r); + goto closed; + } + } + } + if (FD_ISSET(tls_read[1], &wd) && write2 < avail2) { + r = write(tls_read[1], buf2+write2, avail2-write2); + if (r >= 0) + write2 += r; + else { + rprintf(FERROR, "pipe write error: %s\n", + strerror(errno)); + break; + } + } + if (FD_ISSET(tls_fd, &wd) && write1 < avail1) { + r = SSL_write(ssl, buf1+write1, avail1-write1); + if (r > 0) + write1 += r; + else { + switch (SSL_get_error(ssl, r)) { + case SSL_ERROR_ZERO_RETURN: + goto closed; + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + break; + case SSL_ERROR_SYSCALL: + if (r == 0) + rprintf(FERROR, "SSL: spurious EOF\n"); + else + rprintf(FERROR, "SSL: I/O error: %s\n", + strerror(errno)); + goto closed; + case SSL_ERROR_SSL: + rprintf(FERROR, "SSL: %s\n", + ERR_error_string(ERR_get_error(), NULL)); + goto closed; + default: + rprintf(FERROR, "unexpected ssl error %d\n", r); + goto closed; + } + } + } + if (avail1 == write1) + avail1 = write1 = 0; + if (avail2 == write2) + avail2 = write2 = 0; + } + + /* XXX I'm pretty sure that there is a lot that I am not considering + here. Bugs? Yes, probably. */ + + /* We're finished. */ + closed: + close(tls_read[1]); + close(tls_write[0]); + exit(0); +} + +/** + * Ends the TLS connection. + */ +void end_tls(void) +{ + if (ssl_pid > 0) + kill(ssl_pid, SIGUSR1); +}