From 3140dbb20b8eb886da296effb2cdbb1610489777 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Mon, 22 Jul 2013 14:24:37 -0700
Subject: [PATCH] Actually use SSL for I/O.

---
 src/guacd/daemon.c     |  7 ++++---
 src/guacd/socket-ssl.c | 43 ++++++++++++++++++++++++++++--------------
 src/guacd/socket-ssl.h | 16 +++++++++++++++-
 3 files changed, 48 insertions(+), 18 deletions(-)

diff --git a/src/guacd/daemon.c b/src/guacd/daemon.c
index 6e6c7fb3..ee645eae 100644
--- a/src/guacd/daemon.c
+++ b/src/guacd/daemon.c
@@ -57,6 +57,7 @@
 
 #ifdef ENABLE_SSL
 #include <openssl/ssl.h>
+#include "socket-ssl.h"
 #endif
 
 #include <guacamole/client.h>
@@ -605,9 +606,9 @@ int main(int argc, char* argv[]) {
 
             /* If SSL chosen, use it */
             if (ssl_context != NULL)
-                guacd_log_info("STUB: SSL ENABLED - would have used SSL here.");
-
-            socket = guac_socket_open(connected_socket_fd);
+                socket = guac_socket_open_secure(ssl_context, connected_socket_fd);
+            else
+                socket = guac_socket_open(connected_socket_fd);
 #else
             /* Open guac_socket */
             socket = guac_socket_open(connected_socket_fd);
diff --git a/src/guacd/socket-ssl.c b/src/guacd/socket-ssl.c
index 4f9aac3d..4a75b857 100644
--- a/src/guacd/socket-ssl.c
+++ b/src/guacd/socket-ssl.c
@@ -38,6 +38,8 @@
 #include <stdlib.h>
 #include <sys/select.h>
 
+#include <openssl/ssl.h>
+
 #include <guacamole/socket.h>
 #include <guacamole/error.h>
 
@@ -47,46 +49,38 @@
 static ssize_t __guac_socket_ssl_read_handler(guac_socket* socket,
         void* buf, size_t count) {
 
-#if 0
     /* Read from socket */
     guac_socket_ssl_data* data = (guac_socket_ssl_data*) socket->data;
     int retval;
 
-    /* STUB */
+    retval = SSL_read(data->ssl, buf, count);
 
     /* Record errors in guac_error */
-    if (retval < 0) {
+    if (retval <= 0) {
         guac_error = GUAC_STATUS_SEE_ERRNO;
         guac_error_message = "Error reading data from secure socket";
     }
 
     return retval;
-#endif
-
-    return 0;
 
 }
 
 static ssize_t __guac_socket_ssl_write_handler(guac_socket* socket,
         const void* buf, size_t count) {
 
-#if 0
     /* Write data to socket */
     guac_socket_ssl_data* data = (guac_socket_ssl_data*) socket->data;
     int retval;
 
-    /* STUB */
+    retval = SSL_write(data->ssl, buf, count);
 
     /* Record errors in guac_error */
-    if (retval < 0) {
+    if (retval <= 0) {
         guac_error = GUAC_STATUS_SEE_ERRNO;
         guac_error_message = "Error writing data to secure socket";
     }
 
     return retval;
-#endif
-
-    return count;
 
 }
 
@@ -129,16 +123,37 @@ static int __guac_socket_ssl_select_handler(guac_socket* socket, int usec_timeou
 }
 
 static int __guac_socket_ssl_free_handler(guac_socket* socket) {
-    free(socket->data);
+
+    /* Shutdown SSL */
+    guac_socket_ssl_data* data = (guac_socket_ssl_data*) socket->data;
+    SSL_shutdown(data->ssl);
+
+    free(data);
     return 0;
 }
 
-guac_socket* guac_socket_open_secure(int fd) {
+guac_socket* guac_socket_open_secure(SSL_CTX* context, int fd) {
 
     /* Allocate socket and associated data */
     guac_socket* socket = guac_socket_alloc();
     guac_socket_ssl_data* data = malloc(sizeof(guac_socket_ssl_data));
 
+    /* Init SSL */
+    data->context = context;
+    data->ssl = SSL_new(context);
+    SSL_set_fd(data->ssl, fd);
+
+    /* Accept SSL connection, handle errors */
+    if (SSL_accept(data->ssl) <= 0) {
+
+        guac_error = GUAC_STATUS_BAD_STATE;
+        guac_error_message = "SSL accept failed";
+
+        free(data);
+        guac_socket_free(socket);
+        return NULL;
+    }
+
     /* Store file descriptor as socket data */
     data->fd = fd;
     socket->data = data;
diff --git a/src/guacd/socket-ssl.h b/src/guacd/socket-ssl.h
index d35211a8..8dfc8cfb 100644
--- a/src/guacd/socket-ssl.h
+++ b/src/guacd/socket-ssl.h
@@ -38,6 +38,9 @@
 #ifndef __GUACD_SOCKET_SSL_H
 #define __GUACD_SOCKET_SSL_H
 
+#include <openssl/ssl.h>
+#include <guacamole/socket.h>
+
 /**
  * SSL socket-specific data.
  */
@@ -49,12 +52,23 @@ typedef struct guac_socket_ssl_data {
      */
     int fd;
 
+    /**
+     * The current SSL context.
+     */
+    SSL_CTX* context;
+
+    /**
+     * The SSL connection, created automatically via
+     * guac_socket_open_secure().
+     */
+    SSL* ssl;
+
 } guac_socket_ssl_data;
 
 /**
  * Creates a new guac_socket which will use SSL for all communication.
  */
-guac_socket* guac_socket_open_secure(int fd);
+guac_socket* guac_socket_open_secure(SSL_CTX* context, int fd);
 
 #endif