tls: introduce a wrap function

Introduce `git_tls_stream_wrap` which will take an existing `stream`
with an already connected socket and begin speaking TLS on top of it.
This is useful if you've built a connection to a proxy server and you
wish to begin CONNECT over it to tunnel a TLS connection.

Also update the pluggable TLS stream layer so that it can accept a
registration structure that provides an `init` and `wrap` function,
instead of a single initialization function.

Author: ethomson

include/git2/sys/stream.h

@@ -40,18 +40,48 @@ typedef struct git_stream {
 	void (*free)(struct git_stream *);
 } git_stream;
 
-typedef int (*git_stream_cb)(git_stream **out, const char *host, const char *port);
+typedef struct {
+	/** The `version` field should be set to `GIT_STREAM_VERSION`. */
+	int version;
+
+	/**
+	 * Called to create a new TLS connection to a given host.
+	 *
+	 * @param out The created TLS stream
+	 * @param host The hostname to connect to; may be a hostname or
+	 *             IP address
+	 * @param port The port to connect to; may be a port number or
+	 *             service name
+	 * @return 0 or an error code
+	 */
+	int (*init)(git_stream **out, const char *host, const char *port);
+
+	/**
+	 * Called to create a new TLS connection on top of the given
+	 * stream.  May be used to proxy a TLS stream over a CONNECT
+	 * session.
+	 *
+	 * @param out The created TLS stream
+	 * @param in An existing stream to add TLS to
+	 * @param host The hostname that the stream is connected to,
+	 *             for certificate validation
+	 * @return 0 or an error code
+	 */
+	int (*wrap)(git_stream **out, git_stream *in, const char *host);
+} git_stream_registration;
 
 /**
- * Register a TLS stream constructor for the library to use
+ * Register TLS stream constructors for the library to use
  *
- * If a constructor is already set, it will be overwritten. Pass
- * `NULL` in order to deregister the current constructor.
+ * If a registration structure is already set, it will be overwritten.
+ * Pass `NULL` in order to deregister the current constructor and return
+ * to the system defaults.
  *
- * @param ctor the constructor to use
+ * @param registration the registration data
  * @return 0 or an error code
  */
-GIT_EXTERN(int) git_stream_register_tls(git_stream_cb ctor);
+GIT_EXTERN(int) git_stream_register_tls(
+	git_stream_registration *registration);
 
 GIT_END_DECL
 

src/global.c

@@ -12,6 +12,7 @@
 #include "sysdir.h"
 #include "filter.h"
 #include "merge_driver.h"
+#include "streams/tls.h"
 #include "streams/curl.h"
 #include "streams/mbedtls.h"
 #include "streams/openssl.h"
@@ -67,6 +68,7 @@ static int init_common(void)
 		(ret = git_filter_global_init()) == 0 &&
 		(ret = git_merge_driver_global_init()) == 0 &&
 		(ret = git_transport_ssh_global_init()) == 0 &&
+		(ret = git_tls_stream_global_init()) == 0 &&
 		(ret = git_openssl_stream_global_init()) == 0 &&
 		(ret = git_curl_stream_global_init()) == 0 &&
 		(ret = git_mbedtls_stream_global_init()) == 0)

src/streams/mbedtls.c

@@ -242,6 +242,7 @@ static int verify_server_cert(mbedtls_ssl_context *ssl)
 typedef struct {
 	git_stream parent;
 	git_stream *io;
+	int owned;
 	bool connected;
 	char *host;
 	mbedtls_ssl_context *ssl;
@@ -254,7 +255,7 @@ int mbedtls_connect(git_stream *stream)
 	int ret;
 	mbedtls_stream *st = (mbedtls_stream *) stream;
 
-	if ((ret = git_stream_connect(st->io)) < 0)
+	if (st->owned && (ret = git_stream_connect(st->io)) < 0)
 		return ret;
 
 	st->connected = true;
@@ -345,37 +346,37 @@ int mbedtls_stream_close(git_stream *stream)
 
 	st->connected = false;
 
-	return git_stream_close(st->io);
+	return st->owned ? git_stream_close(st->io) : 0;
 }
 
 void mbedtls_stream_free(git_stream *stream)
 {
 	mbedtls_stream *st = (mbedtls_stream *) stream;
 
+	if (st->owned)
+		git_stream_free(st->io);
+
 	git__free(st->host);
 	git__free(st->cert_info.data);
-	git_stream_free(st->io);
 	mbedtls_ssl_free(st->ssl);
 	git__free(st->ssl);
 	git__free(st);
 }
 
-int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
+static int mbedtls_stream_wrap(
+	git_stream **out,
+	git_stream *in,
+	const char *host,
+	int owned)
 {
-	int error;
 	mbedtls_stream *st;
+	int error;
 
 	st = git__calloc(1, sizeof(mbedtls_stream));
 	GITERR_CHECK_ALLOC(st);
 
-#ifdef GIT_CURL
-	error = git_curl_stream_new(&st->io, host, port);
-#else
-	error = git_socket_stream_new(&st->io, host, port);
-#endif
-
-	if (error < 0)
-		goto out_err;
+	st->io = in;
+	st->owned = owned;
 
 	st->ssl = git__malloc(sizeof(mbedtls_ssl_context));
 	GITERR_CHECK_ALLOC(st->ssl);
@@ -405,12 +406,48 @@ int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port)
 
 out_err:
 	mbedtls_ssl_free(st->ssl);
+	git_stream_close(st->io);
 	git_stream_free(st->io);
 	git__free(st);
 
 	return error;
 }
 
+int git_mbedtls_stream_wrap(
+	git_stream **out,
+	git_stream *in,
+	const char *host)
+{
+	return mbedtls_stream_wrap(out, in, host, 0);
+}
+
+int git_mbedtls_stream_new(
+	git_stream **out,
+	const char *host,
+	const char *port)
+{
+	git_stream *stream;
+	int error;
+
+	assert(out && host && port);
+
+#ifdef GIT_CURL
+	error = git_curl_stream_new(&stream, host, port);
+#else
+	error = git_socket_stream_new(&stream, host, port);
+#endif
+
+	if (error < 0)
+		return error;
+
+	if ((error = mbedtls_stream_wrap(out, stream, host, 1)) < 0) {
+		git_stream_close(stream);
+		git_stream_free(stream);
+	}
+
+	return error;
+}
+
 int git_mbedtls__set_cert_location(const char *path, int is_dir)
 {
 	int ret = 0;

src/streams/mbedtls.h

@@ -14,6 +14,7 @@
 extern int git_mbedtls_stream_global_init(void);
 
 extern int git_mbedtls_stream_new(git_stream **out, const char *host, const char *port);
+extern int git_mbedtls_stream_wrap(git_stream **out, git_stream *in, const char *host);
 
 extern int git_mbedtls__set_cert_location(const char *path, int is_dir);
 

src/streams/openssl.c

@@ -569,6 +569,7 @@ static int verify_server_cert(SSL *ssl, const char *host)
 typedef struct {
 	git_stream parent;
 	git_stream *io;
+	int owned;
 	bool connected;
 	char *host;
 	SSL *ssl;
@@ -583,7 +584,7 @@ int openssl_connect(git_stream *stream)
 	BIO *bio;
 	openssl_stream *st = (openssl_stream *) stream;
 
-	if ((ret = git_stream_connect(st->io)) < 0)
+	if (st->owned && (ret = git_stream_connect(st->io)) < 0)
 		return ret;
 
 	bio = BIO_new(git_stream_bio_method);
@@ -682,43 +683,43 @@ int openssl_close(git_stream *stream)
 
 	st->connected = false;
 
-	return git_stream_close(st->io);
+	return st->owned ? git_stream_close(st->io) : 0;
 }
 
 void openssl_free(git_stream *stream)
 {
 	openssl_stream *st = (openssl_stream *) stream;
 
+	if (st->owned)
+		git_stream_free(st->io);
+
 	SSL_free(st->ssl);
 	git__free(st->host);
 	git__free(st->cert_info.data);
-	git_stream_free(st->io);
 	git__free(st);
 }
 
-int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
+static int openssl_stream_wrap(
+	git_stream **out,
+	git_stream *in,
+	const char *host,
+	int owned)
 {
-	int error;
 	openssl_stream *st;
 
+	assert(out && in && host);
+
 	st = git__calloc(1, sizeof(openssl_stream));
 	GITERR_CHECK_ALLOC(st);
 
-	st->io = NULL;
-#ifdef GIT_CURL
-	error = git_curl_stream_new(&st->io, host, port);
-#else
-	error = git_socket_stream_new(&st->io, host, port);
-#endif
-
-	if (error < 0)
-		goto out_err;
+	st->io = in;
+	st->owned = owned;
 
 	st->ssl = SSL_new(git__ssl_ctx);
 	if (st->ssl == NULL) {
 		giterr_set(GITERR_SSL, "failed to create ssl object");
-		error = -1;
-		goto out_err;
+		git__free(st);
+		return -1;
 	}
 
 	st->host = git__strdup(host);
@@ -737,10 +738,33 @@ int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
 
 	*out = (git_stream *) st;
 	return 0;
+}
 
-out_err:
-	git_stream_free(st->io);
-	git__free(st);
+int git_openssl_stream_wrap(git_stream **out, git_stream *in, const char *host)
+{
+	return openssl_stream_wrap(out, in, host, 0);
+}
+
+int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
+{
+	git_stream *stream = NULL;
+	int error;
+
+	assert(out && host && port);
+
+#ifdef GIT_CURL
+	error = git_curl_stream_new(&stream, host, port);
+#else
+	error = git_socket_stream_new(&stream, host, port);
+#endif
+
+	if (error < 0)
+		return error;
+
+	if ((error = openssl_stream_wrap(out, stream, host, 1)) < 0) {
+		git_stream_close(stream);
+		git_stream_free(stream);
+	}
 
 	return error;
 }

src/streams/openssl.h

@@ -14,6 +14,7 @@
 extern int git_openssl_stream_global_init(void);
 
 extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port);
+extern int git_openssl_stream_wrap(git_stream **out, git_stream *in, const char *host);
 
 extern int git_openssl__set_cert_location(const char *file, const char *path);