]>
Commit | Line | Data |
---|---|---|
af6f5d47 WP |
1 | /* |
2 | * libratbox: a library used by ircd-ratbox and other things | |
3 | * gnutls.c: gnutls related code | |
4 | * | |
5 | * Copyright (C) 2007-2008 ircd-ratbox development team | |
6 | * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org> | |
af6f5d47 WP |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
21 | * USA | |
22 | * | |
af6f5d47 WP |
23 | */ |
24 | ||
25 | #include <libratbox_config.h> | |
26 | #include <ratbox_lib.h> | |
af6f5d47 WP |
27 | #include <commio-int.h> |
28 | #include <commio-ssl.h> | |
033be687 VY |
29 | #ifdef HAVE_GNUTLS |
30 | ||
af6f5d47 | 31 | #include <gnutls/gnutls.h> |
0a625836 | 32 | #include <gnutls/x509.h> |
033be687 VY |
33 | #include <gcrypt.h> |
34 | ||
35 | static gnutls_certificate_credentials x509; | |
36 | static gnutls_dh_params dh_params; | |
af6f5d47 | 37 | |
033be687 VY |
38 | |
39 | ||
40 | #define SSL_P(x) *((gnutls_session_t *)F->ssl) | |
af6f5d47 WP |
41 | |
42 | void | |
94b4fbf9 | 43 | rb_ssl_shutdown(rb_fde_t *F) |
af6f5d47 | 44 | { |
033be687 | 45 | int i; |
af6f5d47 WP |
46 | if(F == NULL || F->ssl == NULL) |
47 | return; | |
94b4fbf9 | 48 | for(i = 0; i < 4; i++) |
033be687 VY |
49 | { |
50 | if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS) | |
51 | break; | |
52 | } | |
53 | gnutls_deinit(SSL_P(F)); | |
54 | rb_free(F->ssl); | |
55 | } | |
af6f5d47 | 56 | |
033be687 VY |
57 | unsigned int |
58 | rb_ssl_handshake_count(rb_fde_t *F) | |
59 | { | |
60 | return F->handshake_count; | |
61 | } | |
62 | ||
63 | void | |
64 | rb_ssl_clear_handshake_count(rb_fde_t *F) | |
65 | { | |
66 | F->handshake_count = 0; | |
af6f5d47 WP |
67 | } |
68 | ||
69 | static void | |
94b4fbf9 | 70 | rb_ssl_timeout(rb_fde_t *F, void *notused) |
af6f5d47 WP |
71 | { |
72 | lrb_assert(F->accept != NULL); | |
73 | F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data); | |
74 | } | |
75 | ||
033be687 | 76 | |
94b4fbf9 VY |
77 | static int |
78 | do_ssl_handshake(rb_fde_t *F, PF * callback) | |
033be687 VY |
79 | { |
80 | int ret; | |
94b4fbf9 | 81 | int flags; |
033be687 VY |
82 | |
83 | ret = gnutls_handshake(SSL_P(F)); | |
84 | if(ret < 0) | |
85 | { | |
86 | if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN) | |
87 | { | |
88 | if(gnutls_record_get_direction(SSL_P(F)) == 0) | |
89 | flags = RB_SELECT_READ; | |
90 | else | |
91 | flags = RB_SELECT_WRITE; | |
94b4fbf9 | 92 | rb_setselect(F, flags, callback, NULL); |
033be687 VY |
93 | return 0; |
94 | } | |
95 | F->ssl_errno = ret; | |
96 | return -1; | |
94b4fbf9 VY |
97 | } |
98 | return 1; /* handshake is finished..go about life */ | |
033be687 VY |
99 | } |
100 | ||
af6f5d47 | 101 | static void |
94b4fbf9 | 102 | rb_ssl_tryaccept(rb_fde_t *F, void *data) |
af6f5d47 | 103 | { |
033be687 | 104 | int ret; |
af6f5d47 WP |
105 | struct acceptdata *ad; |
106 | ||
033be687 | 107 | lrb_assert(F->accept != NULL); |
af6f5d47 | 108 | |
033be687 | 109 | ret = do_ssl_handshake(F, rb_ssl_tryaccept); |
94b4fbf9 | 110 | |
f030cae8 VY |
111 | /* do_ssl_handshake does the rb_setselect */ |
112 | if(ret == 0) | |
94b4fbf9 | 113 | return; |
94b4fbf9 | 114 | |
f030cae8 VY |
115 | ad = F->accept; |
116 | F->accept = NULL; | |
af6f5d47 WP |
117 | rb_settimeout(F, 0, NULL, NULL); |
118 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL); | |
f030cae8 VY |
119 | |
120 | if(ret > 0) | |
121 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); | |
122 | else | |
123 | ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data); | |
94b4fbf9 | 124 | |
af6f5d47 WP |
125 | rb_free(ad); |
126 | } | |
127 | ||
128 | void | |
94b4fbf9 | 129 | rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) |
af6f5d47 | 130 | { |
033be687 | 131 | gnutls_session_t *ssl; |
af6f5d47 | 132 | new_F->type |= RB_FD_SSL; |
033be687 | 133 | ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
af6f5d47 | 134 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); |
94b4fbf9 | 135 | |
af6f5d47 WP |
136 | new_F->accept->callback = cb; |
137 | new_F->accept->data = data; | |
138 | rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); | |
139 | ||
140 | new_F->accept->addrlen = 0; | |
141 | ||
94b4fbf9 | 142 | gnutls_init(ssl, GNUTLS_SERVER); |
033be687 VY |
143 | gnutls_set_default_priority(*ssl); |
144 | gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509); | |
145 | gnutls_dh_set_prime_bits(*ssl, 1024); | |
146 | gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd); | |
0a625836 | 147 | gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST); |
033be687 | 148 | if(do_ssl_handshake(new_F, rb_ssl_tryaccept)) |
af6f5d47 | 149 | { |
033be687 | 150 | struct acceptdata *ad = new_F->accept; |
af6f5d47 | 151 | new_F->accept = NULL; |
94b4fbf9 VY |
152 | ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
153 | rb_free(ad); | |
af6f5d47 | 154 | } |
033be687 | 155 | |
af6f5d47 WP |
156 | } |
157 | ||
033be687 VY |
158 | |
159 | ||
160 | ||
af6f5d47 | 161 | void |
94b4fbf9 | 162 | rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) |
af6f5d47 | 163 | { |
af6f5d47 | 164 | new_F->type |= RB_FD_SSL; |
033be687 | 165 | new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
af6f5d47 WP |
166 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); |
167 | ||
168 | new_F->accept->callback = F->accept->callback; | |
169 | new_F->accept->data = F->accept->data; | |
170 | rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); | |
171 | memcpy(&new_F->accept->S, st, addrlen); | |
172 | new_F->accept->addrlen = addrlen; | |
173 | ||
94b4fbf9 | 174 | gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER); |
033be687 VY |
175 | gnutls_set_default_priority(SSL_P(new_F)); |
176 | gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509); | |
177 | gnutls_dh_set_prime_bits(SSL_P(new_F), 1024); | |
4414eb3c | 178 | gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F)); |
0a625836 | 179 | gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST); |
033be687 | 180 | if(do_ssl_handshake(F, rb_ssl_tryaccept)) |
af6f5d47 | 181 | { |
033be687 VY |
182 | struct acceptdata *ad = F->accept; |
183 | F->accept = NULL; | |
94b4fbf9 VY |
184 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
185 | rb_free(ad); | |
033be687 VY |
186 | } |
187 | } | |
af6f5d47 | 188 | |
af6f5d47 | 189 | |
af6f5d47 | 190 | |
af6f5d47 WP |
191 | |
192 | static ssize_t | |
94b4fbf9 | 193 | rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count) |
af6f5d47 WP |
194 | { |
195 | ssize_t ret; | |
033be687 | 196 | gnutls_session_t *ssl = F->ssl; |
af6f5d47 WP |
197 | |
198 | if(r_or_w == 0) | |
033be687 | 199 | ret = gnutls_record_recv(*ssl, rbuf, count); |
af6f5d47 | 200 | else |
033be687 | 201 | ret = gnutls_record_send(*ssl, wbuf, count); |
af6f5d47 WP |
202 | |
203 | if(ret < 0) | |
204 | { | |
94b4fbf9 | 205 | switch (ret) |
af6f5d47 WP |
206 | { |
207 | case GNUTLS_E_AGAIN: | |
af6f5d47 | 208 | case GNUTLS_E_INTERRUPTED: |
033be687 | 209 | if(rb_ignore_errno(errno)) |
af6f5d47 | 210 | { |
033be687 VY |
211 | if(gnutls_record_get_direction(*ssl) == 0) |
212 | return RB_RW_SSL_NEED_READ; | |
213 | else | |
214 | return RB_RW_SSL_NEED_WRITE; | |
215 | break; | |
af6f5d47 | 216 | } |
af6f5d47 | 217 | default: |
033be687 VY |
218 | F->ssl_errno = ret; |
219 | errno = EIO; | |
220 | return RB_RW_IO_ERROR; | |
af6f5d47 | 221 | } |
af6f5d47 WP |
222 | } |
223 | return ret; | |
224 | } | |
225 | ||
226 | ssize_t | |
94b4fbf9 | 227 | rb_ssl_read(rb_fde_t *F, void *buf, size_t count) |
af6f5d47 WP |
228 | { |
229 | return rb_ssl_read_or_write(0, F, buf, NULL, count); | |
230 | } | |
231 | ||
232 | ssize_t | |
94b4fbf9 | 233 | rb_ssl_write(rb_fde_t *F, const void *buf, size_t count) |
af6f5d47 WP |
234 | { |
235 | return rb_ssl_read_or_write(1, F, NULL, buf, count); | |
236 | } | |
237 | ||
033be687 VY |
238 | static void |
239 | rb_gcry_random_seed(void *unused) | |
240 | { | |
241 | gcry_fast_random_poll(); | |
242 | } | |
243 | ||
af6f5d47 WP |
244 | int |
245 | rb_init_ssl(void) | |
246 | { | |
af6f5d47 | 247 | gnutls_global_init(); |
94b4fbf9 | 248 | |
033be687 | 249 | if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS) |
af6f5d47 | 250 | { |
033be687 VY |
251 | rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials"); |
252 | return 0; | |
af6f5d47 | 253 | } |
033be687 VY |
254 | rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300); |
255 | return 1; | |
256 | } | |
af6f5d47 | 257 | |
033be687 | 258 | static void |
94b4fbf9 | 259 | rb_free_datum_t(gnutls_datum_t * d) |
033be687 VY |
260 | { |
261 | rb_free(d->data); | |
262 | rb_free(d); | |
263 | } | |
af6f5d47 | 264 | |
033be687 VY |
265 | static gnutls_datum_t * |
266 | rb_load_file_into_datum_t(const char *file) | |
267 | { | |
268 | FILE *f; | |
269 | gnutls_datum_t *datum; | |
270 | struct stat fileinfo; | |
271 | if((f = fopen(file, "r")) == NULL) | |
272 | return NULL; | |
273 | if(fstat(fileno(f), &fileinfo)) | |
274 | return NULL; | |
275 | ||
276 | datum = rb_malloc(sizeof(gnutls_datum_t)); | |
277 | ||
94b4fbf9 | 278 | if(fileinfo.st_size > 131072) /* deal with retards */ |
033be687 VY |
279 | datum->size = 131072; |
280 | else | |
94b4fbf9 VY |
281 | datum->size = fileinfo.st_size; |
282 | ||
033be687 VY |
283 | datum->data = rb_malloc(datum->size + 1); |
284 | fread(datum->data, datum->size, 1, f); | |
285 | fclose(f); | |
94b4fbf9 | 286 | return datum; |
af6f5d47 WP |
287 | } |
288 | ||
289 | int | |
290 | rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) | |
291 | { | |
033be687 VY |
292 | int ret; |
293 | gnutls_datum_t *d_cert, *d_key; | |
294 | if(cert == NULL) | |
295 | { | |
296 | rb_lib_log("rb_setup_ssl_server: No certificate file"); | |
297 | return 0; | |
298 | } | |
af6f5d47 | 299 | |
033be687 | 300 | if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) |
af6f5d47 | 301 | { |
033be687 | 302 | rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); |
af6f5d47 WP |
303 | return 0; |
304 | } | |
305 | ||
033be687 VY |
306 | if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) |
307 | { | |
308 | rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); | |
309 | return 0; | |
310 | } | |
94b4fbf9 VY |
311 | |
312 | ||
313 | if((ret = | |
314 | gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, | |
315 | GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) | |
033be687 | 316 | { |
94b4fbf9 VY |
317 | rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", |
318 | gnutls_strerror(ret)); | |
033be687 VY |
319 | return 0; |
320 | } | |
321 | rb_free_datum_t(d_cert); | |
322 | rb_free_datum_t(d_key); | |
94b4fbf9 | 323 | |
033be687 VY |
324 | if(dhfile != NULL) |
325 | { | |
326 | if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) | |
327 | { | |
328 | gnutls_datum_t *data; | |
329 | int xret; | |
330 | data = rb_load_file_into_datum_t(dhfile); | |
331 | if(data != NULL) | |
332 | { | |
94b4fbf9 VY |
333 | xret = gnutls_dh_params_import_pkcs3(dh_params, data, |
334 | GNUTLS_X509_FMT_PEM); | |
033be687 | 335 | if(xret < 0) |
94b4fbf9 VY |
336 | rb_lib_log |
337 | ("rb_setup_ssl_server: Error parsing DH file: %s\n", | |
338 | gnutls_strerror(xret)); | |
033be687 VY |
339 | rb_free_datum_t(data); |
340 | } | |
341 | gnutls_certificate_set_dh_params(x509, dh_params); | |
94b4fbf9 VY |
342 | } |
343 | else | |
033be687 VY |
344 | rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); |
345 | } | |
af6f5d47 WP |
346 | return 1; |
347 | } | |
348 | ||
349 | int | |
94b4fbf9 | 350 | rb_ssl_listen(rb_fde_t *F, int backlog) |
af6f5d47 WP |
351 | { |
352 | F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; | |
353 | return listen(F->fd, backlog); | |
354 | } | |
355 | ||
356 | struct ssl_connect | |
357 | { | |
358 | CNCB *callback; | |
359 | void *data; | |
360 | int timeout; | |
361 | }; | |
362 | ||
363 | static void | |
94b4fbf9 | 364 | rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn) |
af6f5d47 WP |
365 | { |
366 | F->connect->callback = sconn->callback; | |
367 | F->connect->data = sconn->data; | |
368 | rb_free(sconn); | |
369 | rb_connect_callback(F, status); | |
370 | } | |
371 | ||
372 | static void | |
94b4fbf9 | 373 | rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data) |
af6f5d47 WP |
374 | { |
375 | rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data); | |
376 | } | |
377 | ||
378 | static void | |
94b4fbf9 | 379 | rb_ssl_tryconn_cb(rb_fde_t *F, void *data) |
af6f5d47 WP |
380 | { |
381 | struct ssl_connect *sconn = data; | |
033be687 VY |
382 | int ret; |
383 | ||
94b4fbf9 VY |
384 | ret = do_ssl_handshake(F, rb_ssl_tryconn_cb); |
385 | ||
386 | switch (ret) | |
387 | { | |
388 | case -1: | |
389 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
390 | break; | |
391 | case 0: | |
392 | /* do_ssl_handshake does the rb_setselect stuff */ | |
393 | return; | |
394 | default: | |
395 | break; | |
396 | ||
397 | ||
398 | } | |
033be687 | 399 | rb_ssl_connect_realcb(F, RB_OK, sconn); |
af6f5d47 WP |
400 | } |
401 | ||
402 | static void | |
94b4fbf9 | 403 | rb_ssl_tryconn(rb_fde_t *F, int status, void *data) |
af6f5d47 | 404 | { |
af6f5d47 | 405 | struct ssl_connect *sconn = data; |
af6f5d47 WP |
406 | if(status != RB_OK) |
407 | { | |
408 | rb_ssl_connect_realcb(F, status, sconn); | |
409 | return; | |
410 | } | |
411 | ||
412 | F->type |= RB_FD_SSL; | |
413 | ||
94b4fbf9 | 414 | |
af6f5d47 | 415 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
033be687 | 416 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
94b4fbf9 VY |
417 | gnutls_init(F->ssl, GNUTLS_CLIENT); |
418 | gnutls_set_default_priority(SSL_P(F)); | |
033be687 VY |
419 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); |
420 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
421 | ||
422 | if(do_ssl_handshake(F, rb_ssl_tryconn_cb)) | |
af6f5d47 WP |
423 | { |
424 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
425 | } | |
426 | } | |
427 | ||
428 | void | |
94b4fbf9 | 429 | rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest, |
af6f5d47 WP |
430 | struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout) |
431 | { | |
432 | struct ssl_connect *sconn; | |
433 | if(F == NULL) | |
434 | return; | |
435 | ||
436 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
437 | sconn->data = data; | |
438 | sconn->callback = callback; | |
439 | sconn->timeout = timeout; | |
440 | rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout); | |
033be687 | 441 | |
af6f5d47 WP |
442 | } |
443 | ||
444 | void | |
94b4fbf9 | 445 | rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) |
af6f5d47 | 446 | { |
af6f5d47 | 447 | struct ssl_connect *sconn; |
af6f5d47 WP |
448 | if(F == NULL) |
449 | return; | |
450 | ||
451 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
452 | sconn->data = data; | |
453 | sconn->callback = callback; | |
454 | sconn->timeout = timeout; | |
455 | F->connect = rb_malloc(sizeof(struct conndata)); | |
456 | F->connect->callback = callback; | |
457 | F->connect->data = data; | |
458 | F->type |= RB_FD_SSL; | |
033be687 | 459 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
94b4fbf9 VY |
460 | |
461 | gnutls_init(F->ssl, GNUTLS_CLIENT); | |
462 | gnutls_set_default_priority(SSL_P(F)); | |
033be687 VY |
463 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); |
464 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
94b4fbf9 | 465 | |
af6f5d47 | 466 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
033be687 VY |
467 | |
468 | if(do_ssl_handshake(F, rb_ssl_tryconn_cb)) | |
af6f5d47 WP |
469 | { |
470 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
471 | } | |
472 | } | |
473 | ||
af6f5d47 WP |
474 | int |
475 | rb_init_prng(const char *path, prng_seed_t seed_type) | |
476 | { | |
033be687 VY |
477 | gcry_fast_random_poll(); |
478 | return 1; | |
af6f5d47 WP |
479 | } |
480 | ||
481 | int | |
482 | rb_get_random(void *buf, size_t length) | |
483 | { | |
033be687 VY |
484 | gcry_randomize(buf, length, GCRY_STRONG_RANDOM); |
485 | return 1; | |
af6f5d47 WP |
486 | } |
487 | ||
4414eb3c VY |
488 | int |
489 | rb_get_pseudo_random(void *buf, size_t length) | |
490 | { | |
491 | gcry_randomize(buf, length, GCRY_WEAK_RANDOM); | |
492 | return 1; | |
493 | } | |
af6f5d47 WP |
494 | |
495 | const char * | |
94b4fbf9 | 496 | rb_get_ssl_strerror(rb_fde_t *F) |
af6f5d47 WP |
497 | { |
498 | return gnutls_strerror(F->ssl_errno); | |
499 | } | |
500 | ||
a099270d JT |
501 | int |
502 | rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) | |
503 | { | |
0a625836 WP |
504 | gnutls_x509_crt_t cert; |
505 | unsigned int cert_list_size; | |
506 | const gnutls_datum_t *cert_list; | |
507 | uint8_t digest[RB_SSL_CERTFP_LEN * 2]; | |
508 | size_t digest_size; | |
509 | ||
510 | if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) | |
511 | return 0; | |
512 | ||
513 | if (gnutls_x509_crt_init(&cert) < 0) | |
514 | return 0; | |
515 | ||
516 | cert_list_size = 0; | |
517 | cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); | |
518 | if (cert_list == NULL) | |
519 | { | |
520 | gnutls_x509_crt_deinit(cert); | |
521 | return 0; | |
522 | } | |
523 | ||
524 | if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) | |
525 | { | |
526 | gnutls_x509_crt_deinit(cert); | |
527 | return 0; | |
528 | } | |
529 | ||
530 | if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0) | |
531 | { | |
532 | gnutls_x509_crt_deinit(cert); | |
533 | return 0; | |
534 | } | |
535 | ||
536 | memcpy(certfp, digest, RB_SSL_CERTFP_LEN); | |
537 | ||
ed1dc6b3 | 538 | gnutls_x509_crt_deinit(cert); |
0a625836 | 539 | return 1; |
a099270d JT |
540 | } |
541 | ||
af6f5d47 WP |
542 | int |
543 | rb_supports_ssl(void) | |
544 | { | |
545 | return 1; | |
546 | } | |
547 | ||
f030cae8 VY |
548 | void |
549 | rb_get_ssl_info(char *buf, size_t len) | |
550 | { | |
551 | rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)", | |
552 | LIBGNUTLS_VERSION, gnutls_check_version(NULL)); | |
553 | } | |
554 | ||
555 | ||
af6f5d47 | 556 | #endif /* HAVE_GNUTLS */ |