- updated for 2.6.7

[packages/rsync.git] / rsync-ssl.patch

diff -urbBN rsync-2.6.6.org/cleanup.c rsync-2.6.6/cleanup.c
--- rsync-2.6.6.org/cleanup.c	2005-03-05 19:58:38.000000000 +0100
+++ rsync-2.6.6/cleanup.c	2005-11-14 16:49:56.182884500 +0100
@@ -22,6 +22,9 @@
 #include "rsync.h"
 
 extern int io_error;
+#if HAVE_OPENSSL
+extern int use_ssl;
+#endif
 extern int keep_partial;
 extern int log_got_error;
 extern char *partial_dir;
@@ -97,6 +100,11 @@
 	signal(SIGUSR1, SIG_IGN);
 	signal(SIGUSR2, SIG_IGN);
 
+#if HAVE_OPENSSL
+	if (use_ssl)
+		end_tls();
+#endif
+
 	if (verbose > 3) {
 		rprintf(FINFO,"_exit_cleanup(code=%d, file=%s, line=%d): entered\n",
 			code, safe_fname(file), line);
diff -urbBN rsync-2.6.6.org/clientserver.c rsync-2.6.6/clientserver.c
--- rsync-2.6.6.org/clientserver.c	2005-06-10 18:57:43.000000000 +0200
+++ rsync-2.6.6/clientserver.c	2005-11-14 16:49:56.182884500 +0100
@@ -44,6 +44,9 @@
 extern int orig_umask;
 extern int no_detach;
 extern int default_af_hint;
+#if HAVE_OPENSSL
+extern int use_ssl;
+#endif
 extern char *bind_address;
 extern struct filter_list_struct server_filter_list;
 extern char *config_file;
@@ -98,8 +101,18 @@
 		exit_cleanup(RERR_SOCKETIO);
 
 	ret = start_inband_exchange(user, path, fd, fd, argc);
+	if (ret)
+		return ret;
+
+#if HAVE_OPENSSL
+	if (use_ssl) {
+		int f_in = get_tls_rfd();
+		int f_out = get_tls_wfd();
+		return client_run(f_in, f_out, -1, argc, argv);
+	}
+#endif
 
-	return ret ? ret : client_run(fd, fd, -1, argc, argv);
+	return client_run(fd, fd, -1, argc, argv);
 }
 
 int start_inband_exchange(char *user, char *path, int f_in, int f_out, 
@@ -160,6 +173,33 @@
 	if (verbose > 1)
 		print_child_argv(sargs);
 
+#if HAVE_OPENSSL
+	if (use_ssl) {
+		io_printf(f_out, "#starttls\n");
+		while (1) {
+			if (!read_line(f_in, line, sizeof(line)-1)) {
+				rprintf(FERROR, "rsync: did not receive reply to #starttls\n");
+				return -1;
+			}
+			if (strncmp(line, "@ERROR", 6) == 0) {
+				rprintf(FERROR, "%s\n", line);
+				return -1;
+			}
+			if (strcmp(line, "@RSYNCD: starttls") == 0) {
+				break;
+			}
+			rprintf(FINFO, "%s\n", line);
+		}
+		if (start_tls(f_in, f_out)) {
+			rprintf(FERROR, "rsync: error during SSL handshake: %s\n",
+				get_ssl_error());
+			return -1;
+		}
+		f_in = get_tls_rfd();
+		f_out = get_tls_wfd();
+	}
+#endif
+
 	p = strchr(path,'/');
 	if (p) *p = 0;
 	io_printf(f_out, "%s\n", path);
@@ -188,6 +228,10 @@
 			 * server to terminate the listing of modules.
 			 * We don't want to go on and transfer
 			 * anything; just exit. */
+#if HAVE_OPENSSL
+			if (use_ssl)
+				end_tls();
+#endif
 			exit(0);
 		}
 
@@ -195,6 +239,10 @@
 			rprintf(FERROR, "%s\n", line);
 			/* This is always fatal; the server will now
 			 * close the socket. */
+#if HAVE_OPENSSL
+			if (use_ssl)
+				end_tls();
+#endif
 			return -1;
 		}
 
@@ -590,6 +639,9 @@
 	if (protocol_version > remote_protocol)
 		protocol_version = remote_protocol;
 
+#if HAVE_OPENSSL
+retry:
+#endif
 	line[0] = 0;
 	if (!read_line(f_in, line, sizeof line - 1))
 		return -1;
@@ -599,6 +651,20 @@
 		return -1;
 	}
 
+#if HAVE_OPENSSL
+	if (use_ssl && strcmp(line, "#starttls") == 0) {
+		io_printf(f_out, "@RSYNCD: starttls\n");
+		if (start_tls(f_in, f_out)) {
+			rprintf(FLOG, "SSL connection failed: %s\n",
+				get_ssl_error());
+			return -1;
+		}
+		f_in = get_tls_rfd();
+		f_out = get_tls_wfd();
+		goto retry;
+	}
+#endif
+
 	if (*line == '#') {
 		/* it's some sort of command that I don't understand */
 		io_printf(f_out, "@ERROR: Unknown command '%s'\n", line);
diff -urbBN rsync-2.6.6.org/configure.in rsync-2.6.6/configure.in
--- rsync-2.6.6.org/configure.in	2005-07-28 21:31:05.000000000 +0200
+++ rsync-2.6.6/configure.in	2005-11-14 16:49:56.186884750 +0100
@@ -293,6 +293,21 @@
 	AC_SEARCH_LIBS(getaddrinfo, inet6)
 fi
 
+AC_ARG_ENABLE(openssl,
+              AC_HELP_STRING([--enable-openssl], [compile SSL support with OpenSSL.]))
+
+if test "x$enable_openssl" != xno
+then
+	have_ssl=yes
+	AC_CHECK_LIB(ssl, SSL_library_init, , [have_ssl=no])
+	if test "x$have_ssl" = xyes
+	then
+		AC_DEFINE(HAVE_OPENSSL, 1, [true if you want to use SSL.])
+		SSL_OBJS=ssl.o
+		AC_SUBST(SSL_OBJS)
+	fi
+fi
+
 AC_MSG_CHECKING([whether to call shutdown on all sockets])
 case $host_os in
 	*cygwin* ) AC_MSG_RESULT(yes)
diff -urbBN rsync-2.6.6.org/Makefile.in rsync-2.6.6/Makefile.in
--- rsync-2.6.6.org/Makefile.in	2005-07-07 23:29:57.000000000 +0200
+++ rsync-2.6.6/Makefile.in	2005-11-14 16:49:56.182884500 +0100
@@ -38,7 +38,7 @@
 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
 popt_OBJS=popt/findme.o  popt/popt.o  popt/poptconfig.o \
 	popt/popthelp.o popt/poptparse.o
-OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@
+OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ @SSL_OBJS@
 
 TLS_OBJ = tls.o syscall.o lib/compat.o lib/snprintf.o lib/permstring.o
 
diff -urbBN rsync-2.6.6.org/options.c rsync-2.6.6/options.c
--- rsync-2.6.6.org/options.c	2005-05-19 10:52:17.000000000 +0200
+++ rsync-2.6.6/options.c	2005-11-14 16:50:48.190134750 +0100
@@ -157,6 +157,14 @@
 int always_checksum = 0;
 int list_only = 0;
 
+#if HAVE_OPENSSL
+int use_ssl = 0;
+char *ssl_cert_path = NULL;
+char *ssl_key_path = NULL;
+char *ssl_key_passwd = NULL;
+char *ssl_ca_path = NULL;
+#endif
+
 #define MAX_BATCH_NAME_LEN 256	/* Must be less than MAXPATHLEN-13 */
 char *batch_name = NULL;
 
@@ -182,6 +190,7 @@
 	char const *hardlinks = "no ";
 	char const *links = "no ";
 	char const *ipv6 = "no ";
+	char const *ssl = "no ";
 	STRUCT_STAT *dumstat;
 
 #ifdef HAVE_SOCKETPAIR
@@ -204,6 +213,10 @@
 	ipv6 = "";
 #endif
 
+#if HAVE_OPENSSL
+	ssl = "";
+#endif
+
 	rprintf(f, "%s  version %s  protocol version %d\n",
 		RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION);
 	rprintf(f,
@@ -217,10 +230,10 @@
 	/* Note that this field may not have type ino_t.  It depends
 	 * on the complicated interaction between largefile feature
 	 * macros. */
-	rprintf(f, "              %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums\n",
+	rprintf(f, "              %sinplace, %sIPv6, %d-bit system inums, %d-bit internal inums, %sssl\n",
 		have_inplace, ipv6,
 		(int) (sizeof dumstat->st_ino * 8),
-		(int) (sizeof (int64) * 8));
+		(int) (sizeof (int64) * 8), ssl);
 #ifdef MAINTAINER_MODE
 	rprintf(f, "              panic action: \"%s\"\n",
 		get_panic_action());
@@ -352,6 +365,13 @@
   rprintf(F," -4, --ipv4                  prefer IPv4\n");
   rprintf(F," -6, --ipv6                  prefer IPv6\n");
 #endif
+#if HAVE_OPENSSL
+  rprintf(F,"     --ssl                   allow socket connections to use SSL\n");
+  rprintf(F,"     --ssl-cert=FILE         path to daemon's SSL certificate\n");
+  rprintf(F,"     --ssl-key=FILE          path to daemon's SSL private key\n");
+  rprintf(F,"     --ssl-key-passwd=PASS   password for PEM-encoded private key\n");
+  rprintf(F,"     --ssl-ca-certs=FILE     path to trusted CA certificates\n");
+#endif
   rprintf(F,"     --version               print version number\n");
   rprintf(F," -h, --help                  show this help screen\n");
 
@@ -362,7 +382,7 @@
 
 enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM,
       OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST,
-      OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW,
+      OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_USE_SSL,
       OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE,
       OPT_REFUSED_BASE = 9000};
 
@@ -464,6 +484,13 @@
   {"ipv4",            '4', POPT_ARG_VAL,    &default_af_hint, AF_INET, 0, 0 },
   {"ipv6",            '6', POPT_ARG_VAL,    &default_af_hint, AF_INET6, 0, 0 },
 #endif
+#if HAVE_OPENSSL
+  {"ssl",              0,  POPT_ARG_NONE,   0, OPT_USE_SSL, 0, 0},
+  {"ssl-cert",         0,  POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key",          0,  POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key-passwd",   0,  POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
+  {"ssl-ca-certs",     0,  POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
+#endif
   /* All these options switch us into daemon-mode option-parsing. */
   {"config",           0,  POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
   {"daemon",           0,  POPT_ARG_NONE,   0, OPT_DAEMON, 0, 0 },
@@ -508,6 +535,13 @@
   {"port",             0,  POPT_ARG_INT,    &rsync_port, 0, 0, 0 },
   {"protocol",         0,  POPT_ARG_INT,    &protocol_version, 0, 0, 0 },
   {"server",           0,  POPT_ARG_NONE,   &am_server, 0, 0, 0 },
+#if HAVE_OPENSSL
+  {"ssl",              0,  POPT_ARG_NONE,   0, OPT_USE_SSL, 0, 0},
+  {"ssl-cert",         0,  POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key",          0,  POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key-passwd",   0,  POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
+  {"ssl-ca-certs",     0,  POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
+#endif
   {"verbose",         'v', POPT_ARG_NONE,   0, 'v', 0, 0 },
   {"help",            'h', POPT_ARG_NONE,   0, 'h', 0, 0 },
   {0,0,0,0, 0, 0, 0}
@@ -876,6 +910,12 @@
 			basis_dir[basis_dir_cnt++] = (char *)arg;
 			break;
 
+		case OPT_USE_SSL:
+#if HAVE_OPENSSL
+			use_ssl = 1;
+#endif
+			break;
+
 		default:
 			/* A large opt value means that set_refuse_options()
 			 * turned this option off. */
@@ -1129,6 +1169,17 @@
 	if (delay_updates && !partial_dir)
 		partial_dir = partialdir_for_delayupdate;
 
+#if HAVE_OPENSSL
+	if (use_ssl) {
+		if (init_tls()) {
+			snprintf(err_buf, sizeof(err_buf),
+				 "Openssl error: %s\n",
+				 get_ssl_error());
+			return 0;
+		}
+	}
+#endif
+
 	if (inplace) {
 #ifdef HAVE_FTRUNCATE
 		if (partial_dir) {
@@ -1498,11 +1549,28 @@
 {
 	char *p;
 	int not_host;
+	int url_prefix_len = sizeof URL_PREFIX - 1;
 
-	if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) {
+	if (!port_ptr)
+		url_prefix_len = 0;
+	else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) {
+#if HAVE_OPENSSL
+		url_prefix_len = sizeof SSL_URL_PREFIX - 1;
+		if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0)
+			url_prefix_len = 0;
+		else {
+			if (!use_ssl)
+				init_tls();
+			use_ssl = 1;
+		}
+#else
+		url_prefix_len = 0;
+#endif
+	}
+	if (url_prefix_len) {
 		char *path;
 		int hostlen;
-		s += strlen(URL_PREFIX);
+		s += url_prefix_len;
 		if ((p = strchr(s, '/')) != NULL) {
 			hostlen = p - s;
 			path = p + 1;
diff -urbBN rsync-2.6.6.org/rsync.h rsync-2.6.6/rsync.h
--- rsync-2.6.6.org/rsync.h	2005-05-03 19:00:47.000000000 +0200
+++ rsync-2.6.6/rsync.h	2005-11-14 16:49:56.190885000 +0100
@@ -32,6 +32,7 @@
 
 #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
 #define URL_PREFIX "rsync://"
+#define SSL_URL_PREFIX "rsyncs://"
 
 #define BACKUP_SUFFIX "~"
 
@@ -410,6 +411,11 @@
 # define SIZEOF_INT64 SIZEOF_OFF_T
 #endif
 
+#if HAVE_OPENSSL
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
+
 /* Starting from protocol version 26, we always use 64-bit
  * ino_t and dev_t internally, even if this platform does not
  * allow files to have 64-bit inums.  That's because the
diff -urbBN rsync-2.6.6.org/ssl.c rsync-2.6.6/ssl.c
--- rsync-2.6.6.org/ssl.c	1970-01-01 01:00:00.000000000 +0100
+++ rsync-2.6.6/ssl.c	2005-11-14 16:49:56.190885000 +0100
@@ -0,0 +1,366 @@
+/* -*- c-file-style: "linux" -*-
+ * ssl.c: operations for negotiating SSL rsync connections. 
+ *
+ * Copyright (C) 2003  Casey Marshall <rsdio@metastatic.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "rsync.h"
+
+#if HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#else
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+#include <string.h>
+
+#define BUF_SIZE 1024
+
+extern int verbose;
+extern int am_daemon;
+extern int am_server;
+
+extern char *ssl_cert_path;
+extern char *ssl_key_path;
+extern char *ssl_key_passwd;
+extern char *ssl_ca_path;
+
+static SSL_CTX *ssl_ctx;
+static SSL *ssl;
+static int tls_read[2] = { -1, -1 };
+static int tls_write[2] = { -1, -1 };
+static int ssl_running;
+static int ssl_pid = -1;
+
+/**
+ * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb,
+ * which merely copies the value of ssl_key_passwd into buf. This is
+ * used for when the private key password is supplied via an option.
+ */
+static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u))
+{
+	if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd))
+		return 0;
+	strncpy(buf, ssl_key_passwd, n-1);
+	return strlen(ssl_key_passwd);
+}
+
+/**
+ * If verbose, this method traces the status of the SSL handshake.
+ */
+static void info_callback(const SSL *ssl, int cb, int val)
+{
+	char buf[128];
+	char *cbs;
+
+	switch (cb) {
+	case SSL_CB_LOOP:
+		cbs = "SSL_CB_LOOP";
+		break;
+	case SSL_CB_EXIT:
+		cbs = "SSL_CB_EXIT";
+		break;
+	case SSL_CB_READ:
+		cbs = "SSL_CB_READ";
+		break;
+	case SSL_CB_WRITE:
+		cbs = "SSL_CB_WRITE";
+		break;
+	case SSL_CB_ALERT:
+		cbs = "SSL_CB_ALERT";
+		break;
+	case SSL_CB_READ_ALERT:
+		cbs = "SSL_CB_READ_ALERT";
+		break;
+	case SSL_CB_WRITE_ALERT:
+		cbs = "SSL_CB_WRITE_ALERT";
+		break;
+	case SSL_CB_ACCEPT_LOOP:
+		cbs = "SSL_CB_ACCEPT_LOOP";
+		break;
+	case SSL_CB_ACCEPT_EXIT:
+		cbs = "SSL_CB_ACCEPT_EXIT";
+		break;
+	case SSL_CB_CONNECT_LOOP:
+		cbs = "SSL_CB_CONNECT_LOOP";
+		break;
+	case SSL_CB_CONNECT_EXIT:
+		cbs = "SSL_CB_CONNECT_EXIT";
+		break;
+	case SSL_CB_HANDSHAKE_START:
+		cbs = "SSL_CB_HANDSHAKE_START";
+		break;
+	case SSL_CB_HANDSHAKE_DONE:
+		cbs = "SSL_CB_HANDSHAKE_DONE";
+		break;
+	default:
+		snprintf(buf, sizeof buf, "??? (%d)", cb);
+		cbs = buf;
+		break;
+	}
+	if (verbose > 2) {
+		rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val);
+		if (cb == SSL_CB_HANDSHAKE_DONE) {
+			SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl),
+					       buf, sizeof buf);
+			rprintf(FLOG, "SSL: cipher: %s", buf);
+		}
+	}
+}
+
+/**
+ * Initializes the SSL context for TLSv1 connections; returns zero on
+ * success.
+ */
+int init_tls(void)
+{
+	if (ssl_ctx)
+		return 0;
+	SSL_library_init();
+	SSL_load_error_strings();
+	ssl_ctx = SSL_CTX_new(TLSv1_method());
+	if (!ssl_ctx)
+		return 1;
+	SSL_CTX_set_info_callback(ssl_ctx, info_callback);
+
+	/* Sets the certificate sent to the other party. */
+	if (ssl_cert_path != NULL
+	    && SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_path,
+					    SSL_FILETYPE_PEM) != 1)
+		return 1;
+	/* Set up the simple non-interactive callback if the password
+	 * was supplied on the command line. */
+	if (ssl_key_passwd != NULL)
+		SSL_CTX_set_default_passwd_cb(ssl_ctx, default_password_cb);
+	/* Sets the private key that matches the public certificate. */
+	if (ssl_key_path != NULL) {
+		if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_key_path,
+						SSL_FILETYPE_PEM) != 1)
+			return 1;
+		if (SSL_CTX_check_private_key(ssl_ctx) != 1)
+			return 1;
+	}
+	if (ssl_ca_path != NULL
+	    && !SSL_CTX_load_verify_locations(ssl_ctx, ssl_ca_path, NULL))
+		return 1;
+
+	return 0;
+}
+
+/**
+ * Returns the error string for the current SSL error, if any.
+ */
+char *get_ssl_error(void)
+{
+	return ERR_error_string(ERR_get_error(), NULL);
+}
+
+/**
+ * Returns the input file descriptor for the SSL connection.
+ */
+int get_tls_rfd(void)
+{
+	return tls_read[0];
+}
+
+/**
+ * Returns the output file descriptor for the SSL connection.
+ */
+int get_tls_wfd(void)
+{
+	return tls_write[1];
+}
+
+/**
+ * Signal handler that ends the SSL connection.
+ */
+static RETSIGTYPE tls_sigusr1(int UNUSED(val))
+{
+	if (ssl) {
+		SSL_shutdown(ssl);
+		SSL_free(ssl);
+		ssl = NULL;
+	}
+	ssl_running = 0;
+}
+
+/**
+ * Negotiates the TLS connection, creates a socket pair for communicating
+ * with the rsync process, then forks into a new process that will handle
+ * the communication.
+ *
+ * 0 is returned on success.
+ */
+int start_tls(int f_in, int f_out)
+{
+	int tls_fd;
+	int n = 0, r;
+	unsigned char buf1[BUF_SIZE], buf2[BUF_SIZE];
+	int avail1 = 0, avail2 = 0, write1 = 0, write2 = 0;
+	fd_set rd, wd;
+
+	if (fd_pair(tls_read))
+		return 1;
+	if (fd_pair(tls_write))
+		return 1;
+
+	set_blocking(tls_read[0]);
+	set_blocking(tls_read[1]);
+	set_blocking(tls_write[0]);
+	set_blocking(tls_write[1]);
+	set_blocking(f_in);
+	set_blocking(f_out);
+
+	ssl_pid = do_fork();
+	if (ssl_pid < 0)
+		return -1;
+	if (ssl_pid != 0) {
+		close(tls_write[0]);
+		close(tls_read[1]);
+		return 0;
+	}
+
+	signal(SIGUSR1, tls_sigusr1);
+	ssl = SSL_new(ssl_ctx);
+	if (!ssl)
+		goto closed;
+	if (am_daemon || am_server)
+		SSL_set_accept_state(ssl);
+	else
+		SSL_set_connect_state(ssl);
+	SSL_set_rfd(ssl, f_in);
+	SSL_set_wfd(ssl, f_out);
+
+	tls_fd = SSL_get_fd(ssl);
+	n = tls_write[0];
+	n = MAX(tls_read[1], n);
+	n = MAX(tls_fd, n) + 1;
+
+	ssl_running = 1;
+	while (ssl_running) {
+		FD_ZERO(&rd);
+		FD_ZERO(&wd);
+		FD_SET(tls_write[0], &rd);
+		FD_SET(tls_read[1], &wd);
+		FD_SET(tls_fd, &rd);
+		FD_SET(tls_fd, &wd);
+
+		r = select(n, &rd, &wd, NULL, NULL);
+
+		if (r == -1 && errno == EINTR)
+			continue;
+		if (FD_ISSET(tls_write[0], &rd)) {
+			r = read(tls_write[0], buf1+avail1, BUF_SIZE-avail1);
+			if (r >= 0)
+				avail1 += r;
+			else {
+				rprintf(FERROR, "pipe read error: %s\n",
+					strerror(errno));
+				break;
+			}
+		}
+		if (FD_ISSET(tls_fd, &rd)) {
+			r = SSL_read(ssl, buf2+avail2, BUF_SIZE-avail2);
+			if (r > 0)
+				avail2 += r;
+			else {
+				switch (SSL_get_error(ssl, r)) {
+				case SSL_ERROR_ZERO_RETURN:
+					goto closed;
+				case SSL_ERROR_WANT_READ:
+				case SSL_ERROR_WANT_WRITE:
+					break;
+				case SSL_ERROR_SYSCALL:
+					if (r == 0)
+						rprintf(FERROR, "SSL spurious EOF\n");
+					else
+						rprintf(FERROR, "SSL I/O error: %s\n",
+							strerror(errno));
+					goto closed;
+				case SSL_ERROR_SSL:
+					rprintf(FERROR, "SSL: %s\n",
+						ERR_error_string(ERR_get_error(), NULL));
+					goto closed;
+				default:
+					rprintf(FERROR, "unexpected ssl error %d\n", r);
+					goto closed;
+				}
+			}
+		}
+		if (FD_ISSET(tls_read[1], &wd) && write2 < avail2) {
+			r = write(tls_read[1], buf2+write2, avail2-write2);
+			if (r >= 0)
+				write2 += r;
+			else {
+				rprintf(FERROR, "pipe write error: %s\n",
+					strerror(errno));
+				break;
+			}
+		}
+		if (FD_ISSET(tls_fd, &wd) && write1 < avail1) {
+			r = SSL_write(ssl, buf1+write1, avail1-write1);
+			if (r > 0)
+				write1 += r;
+			else {
+				switch (SSL_get_error(ssl, r)) {
+				case SSL_ERROR_ZERO_RETURN:
+					goto closed;
+				case SSL_ERROR_WANT_READ:
+				case SSL_ERROR_WANT_WRITE:
+					break;
+				case SSL_ERROR_SYSCALL:
+					if (r == 0)
+						rprintf(FERROR, "SSL: spurious EOF\n");
+					else
+						rprintf(FERROR, "SSL: I/O error: %s\n",
+							strerror(errno));
+					goto closed;
+				case SSL_ERROR_SSL:
+					rprintf(FERROR, "SSL: %s\n",
+						ERR_error_string(ERR_get_error(), NULL));
+					goto closed;
+				default:
+					rprintf(FERROR, "unexpected ssl error %d\n", r);
+					goto closed;
+				}
+			}
+		}
+		if (avail1 == write1)
+			avail1 = write1 = 0;
+		if (avail2 == write2)
+			avail2 = write2 = 0;
+	}
+
+	/* XXX I'm pretty sure that there is a lot that I am not considering
+	   here. Bugs? Yes, probably. */
+
+	/* We're finished. */
+    closed:
+	close(tls_read[1]);
+	close(tls_write[0]);
+	exit(0);
+}
+
+/**
+ * Ends the TLS connection.
+ */
+void end_tls(void)
+{
+	if (ssl_pid > 0)
+		kill(ssl_pid, SIGUSR1);
+}