[irc/rqf/shadowircd.git] / libratbox / src / gnutls.c

/*
 *  libratbox: a library used by ircd-ratbox and other things
 *  gnutls.c: gnutls related code
 *
 *  Copyright (C) 2007-2008 ircd-ratbox development team
 *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
 *  USA
 *
 */

#include <libratbox_config.h>
#include <ratbox_lib.h>
#include <commio-int.h>
#include <commio-ssl.h>
#ifdef HAVE_GNUTLS

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gcrypt.h>

static gnutls_certificate_credentials x509;
static gnutls_dh_params dh_params;


#define SSL_P(x) *((gnutls_session_t *)F->ssl)

void
rb_ssl_shutdown(rb_fde_t *F)
{
	int i;
	if(F == NULL || F->ssl == NULL)
		return;
	for(i = 0; i < 4; i++)
	{
		if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
			break;
	}
	gnutls_deinit(SSL_P(F));
	rb_free(F->ssl);
}

unsigned int
rb_ssl_handshake_count(rb_fde_t *F)
{
	return F->handshake_count;
}

void
rb_ssl_clear_handshake_count(rb_fde_t *F)
{
	F->handshake_count = 0;
}

static void
rb_ssl_timeout(rb_fde_t *F, void *notused)
{
	lrb_assert(F->accept != NULL);
	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
}


static int
do_ssl_handshake(rb_fde_t *F, PF * callback)
{
	int ret;
	int flags;

	ret = gnutls_handshake(SSL_P(F));
	if(ret < 0)
	{
		if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
		{
			if(gnutls_record_get_direction(SSL_P(F)) == 0)
				flags = RB_SELECT_READ;
			else
				flags = RB_SELECT_WRITE;
			rb_setselect(F, flags, callback, NULL);
			return 0;
		}
		F->ssl_errno = ret;
		return -1;
	}
	return 1;		/* handshake is finished..go about life */
}

static void
rb_ssl_tryaccept(rb_fde_t *F, void *data)
{
	int ret;
	struct acceptdata *ad;

	lrb_assert(F->accept != NULL);

	ret = do_ssl_handshake(F, rb_ssl_tryaccept);

	/* do_ssl_handshake does the rb_setselect */
	if(ret == 0)
		return;

	ad = F->accept;
	F->accept = NULL;
	rb_settimeout(F, 0, NULL, NULL);
	rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
	
	if(ret > 0)
		ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
	else
		ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);

	rb_free(ad);
}

void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
	gnutls_session_t *ssl;
	new_F->type |= RB_FD_SSL;
	ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = cb;
	new_F->accept->data = data;
	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

	new_F->accept->addrlen = 0;

	gnutls_init(ssl, GNUTLS_SERVER);
	gnutls_set_default_priority(*ssl);
	gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
	gnutls_dh_set_prime_bits(*ssl, 1024);
	gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
	gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
	if(do_ssl_handshake(new_F, rb_ssl_tryaccept))
	{
		struct acceptdata *ad = new_F->accept;
		new_F->accept = NULL;
		ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
		rb_free(ad);
	}

}


void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = F->accept->callback;
	new_F->accept->data = F->accept->data;
	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	memcpy(&new_F->accept->S, st, addrlen);
	new_F->accept->addrlen = addrlen;

	gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
	gnutls_set_default_priority(SSL_P(new_F));
	gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
	gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
	gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
	gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
	if(do_ssl_handshake(F, rb_ssl_tryaccept))
	{
		struct acceptdata *ad = F->accept;
		F->accept = NULL;
		ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
		rb_free(ad);
	}
}


static ssize_t
rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
{
	ssize_t ret;
	gnutls_session_t *ssl = F->ssl;

	if(r_or_w == 0)
		ret = gnutls_record_recv(*ssl, rbuf, count);
	else
		ret = gnutls_record_send(*ssl, wbuf, count);

	if(ret < 0)
	{
		switch (ret)
		{
		case GNUTLS_E_AGAIN:
		case GNUTLS_E_INTERRUPTED:
			if(rb_ignore_errno(errno))
			{
				if(gnutls_record_get_direction(*ssl) == 0)
					return RB_RW_SSL_NEED_READ;
				else
					return RB_RW_SSL_NEED_WRITE;
				break;
			}
		default:
			F->ssl_errno = ret;
			errno = EIO;
			return RB_RW_IO_ERROR;
		}
	}
	return ret;
}

ssize_t
rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
{
	return rb_ssl_read_or_write(0, F, buf, NULL, count);
}

ssize_t
rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
{
	return rb_ssl_read_or_write(1, F, NULL, buf, count);
}

static void
rb_gcry_random_seed(void *unused)
{
	gcry_fast_random_poll();
}

int
rb_init_ssl(void)
{
	gnutls_global_init();

	if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
	{
		rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
		return 0;
	}
	rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
	return 1;
}

static void
rb_free_datum_t(gnutls_datum_t * d)
{
	rb_free(d->data);
	rb_free(d);
}

static gnutls_datum_t *
rb_load_file_into_datum_t(const char *file)
{
	FILE *f;
	gnutls_datum_t *datum;
	struct stat fileinfo;
	if((f = fopen(file, "r")) == NULL)
		return NULL;
	if(fstat(fileno(f), &fileinfo))
		return NULL;

	datum = rb_malloc(sizeof(gnutls_datum_t));

	if(fileinfo.st_size > 131072)	/* deal with retards */
		datum->size = 131072;
	else
		datum->size = fileinfo.st_size;

	datum->data = rb_malloc(datum->size + 1);
	fread(datum->data, datum->size, 1, f);
	fclose(f);
	return datum;
}

int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
{
	int ret;
	gnutls_datum_t *d_cert, *d_key;
	if(cert == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No certificate file");
		return 0;
	}

	if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
		return 0;
	}

	if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
		return 0;
	}


	if((ret =
	    gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
						GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
	{
		rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
			   gnutls_strerror(ret));
		return 0;
	}
	rb_free_datum_t(d_cert);
	rb_free_datum_t(d_key);

	if(dhfile != NULL)
	{
		if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
		{
			gnutls_datum_t *data;
			int xret;
			data = rb_load_file_into_datum_t(dhfile);
			if(data != NULL)
			{
				xret = gnutls_dh_params_import_pkcs3(dh_params, data,
								     GNUTLS_X509_FMT_PEM);
				if(xret < 0)
					rb_lib_log
						("rb_setup_ssl_server: Error parsing DH file: %s\n",
						 gnutls_strerror(xret));
				rb_free_datum_t(data);
			}
			gnutls_certificate_set_dh_params(x509, dh_params);
		}
		else
			rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
	}
	return 1;
}

int
rb_ssl_listen(rb_fde_t *F, int backlog)
{
	F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
	return listen(F->fd, backlog);
}

struct ssl_connect
{
	CNCB *callback;
	void *data;
	int timeout;
};

static void
rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
{
	F->connect->callback = sconn->callback;
	F->connect->data = sconn->data;
	rb_free(sconn);
	rb_connect_callback(F, status);
}

static void
rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
{
	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
}

static void
rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
{
	struct ssl_connect *sconn = data;
	int ret;

	ret = do_ssl_handshake(F, rb_ssl_tryconn_cb);

	switch (ret)
	{
	case -1:
		rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
		break;
	case 0:
		/* do_ssl_handshake does the rb_setselect stuff */
		return;
	default:
		break;


	}
	rb_ssl_connect_realcb(F, RB_OK, sconn);
}

static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
	struct ssl_connect *sconn = data;
	if(status != RB_OK)
	{
		rb_ssl_connect_realcb(F, status, sconn);
		return;
	}

	F->type |= RB_FD_SSL;


	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	F->ssl = rb_malloc(sizeof(gnutls_session_t));
	gnutls_init(F->ssl, GNUTLS_CLIENT);
	gnutls_set_default_priority(SSL_P(F));
	gnutls_dh_set_prime_bits(SSL_P(F), 1024);
	gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);

	if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

void
rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
		   struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);

}

void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	F->connect = rb_malloc(sizeof(struct conndata));
	F->connect->callback = callback;
	F->connect->data = data;
	F->type |= RB_FD_SSL;
	F->ssl = rb_malloc(sizeof(gnutls_session_t));

	gnutls_init(F->ssl, GNUTLS_CLIENT);
	gnutls_set_default_priority(SSL_P(F));
	gnutls_dh_set_prime_bits(SSL_P(F), 1024);
	gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);

	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);

	if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

int
rb_init_prng(const char *path, prng_seed_t seed_type)
{
	gcry_fast_random_poll();
	return 1;
}

int
rb_get_random(void *buf, size_t length)
{
	gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
	return 1;
}

int
rb_get_pseudo_random(void *buf, size_t length)
{
	gcry_randomize(buf, length, GCRY_WEAK_RANDOM);
	return 1;
}

const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
	return gnutls_strerror(F->ssl_errno);
}

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
	gnutls_x509_crt_t cert;
	unsigned int cert_list_size;
	const gnutls_datum_t *cert_list;
	uint8_t digest[RB_SSL_CERTFP_LEN * 2];
	size_t digest_size;

	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
		return 0;

	if (gnutls_x509_crt_init(&cert) < 0)
		return 0;

	cert_list_size = 0;
	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
	if (cert_list == NULL)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	memcpy(certfp, digest, RB_SSL_CERTFP_LEN);

	gnutls_x509_crt_deinit(cert);
	return 1;
}

int
rb_supports_ssl(void)
{
	return 1;
}

void
rb_get_ssl_info(char *buf, size_t len)
{
	rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)", 
		    LIBGNUTLS_VERSION, gnutls_check_version(NULL));
}
  
        
#endif /* HAVE_GNUTLS */
Commit	Line	Data
af6f5d47 WP	1	/*
	2	* libratbox: a library used by ircd-ratbox and other things
	3	* gnutls.c: gnutls related code
	4	*
	5	* Copyright (C) 2007-2008 ircd-ratbox development team
	6	* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
af6f5d47 WP	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	21	* USA
	22	*
af6f5d47 WP	23	*/
	24
	25	#include <libratbox_config.h>
	26	#include <ratbox_lib.h>
af6f5d47 WP	27	#include <commio-int.h>
af6f5d47 WP	28	#include <commio-ssl.h>
033be687 VY	29	#ifdef HAVE_GNUTLS
033be687 VY	30
af6f5d47	31	#include <gnutls/gnutls.h>
0a625836	32	#include <gnutls/x509.h>
033be687 VY	33	#include <gcrypt.h>
	34
	35	static gnutls_certificate_credentials x509;
	36	static gnutls_dh_params dh_params;
af6f5d47	37
033be687 VY	38
	39
	40	#define SSL_P(x) ((gnutls_session_t )F->ssl)
af6f5d47 WP	41
af6f5d47 WP	42	void
94b4fbf9	43	rb_ssl_shutdown(rb_fde_t *F)
af6f5d47	44	{
033be687	45	int i;
af6f5d47 WP	46	if(F == NULL \|\| F->ssl == NULL)
af6f5d47 WP	47	return;
94b4fbf9	48	for(i = 0; i < 4; i++)
033be687 VY	49	{
	50	if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
	51	break;
	52	}
	53	gnutls_deinit(SSL_P(F));
	54	rb_free(F->ssl);
	55	}
af6f5d47	56
033be687 VY	57	unsigned int
	58	rb_ssl_handshake_count(rb_fde_t *F)
	59	{
	60	return F->handshake_count;
	61	}
	62
	63	void
	64	rb_ssl_clear_handshake_count(rb_fde_t *F)
	65	{
	66	F->handshake_count = 0;
af6f5d47 WP	67	}
	68
	69	static void
94b4fbf9	70	rb_ssl_timeout(rb_fde_t F, void notused)
af6f5d47 WP	71	{
	72	lrb_assert(F->accept != NULL);
	73	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
	74	}
	75
033be687	76
94b4fbf9 VY	77	static int
94b4fbf9 VY	78	do_ssl_handshake(rb_fde_t F, PF callback)
033be687 VY	79	{
033be687 VY	80	int ret;
94b4fbf9	81	int flags;
033be687 VY	82
	83	ret = gnutls_handshake(SSL_P(F));
	84	if(ret < 0)
	85	{
	86	if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) \|\| ret == GNUTLS_E_AGAIN)
	87	{
	88	if(gnutls_record_get_direction(SSL_P(F)) == 0)
	89	flags = RB_SELECT_READ;
	90	else
	91	flags = RB_SELECT_WRITE;
94b4fbf9	92	rb_setselect(F, flags, callback, NULL);
033be687 VY	93	return 0;
	94	}
	95	F->ssl_errno = ret;
	96	return -1;
94b4fbf9 VY	97	}
94b4fbf9 VY	98	return 1; /* handshake is finished..go about life */
033be687 VY	99	}
033be687 VY	100
af6f5d47	101	static void
94b4fbf9	102	rb_ssl_tryaccept(rb_fde_t F, void data)
af6f5d47	103	{
033be687	104	int ret;
af6f5d47 WP	105	struct acceptdata *ad;
af6f5d47 WP	106
033be687	107	lrb_assert(F->accept != NULL);
af6f5d47	108
033be687	109	ret = do_ssl_handshake(F, rb_ssl_tryaccept);
94b4fbf9	110
f030cae8 VY	111	/* do_ssl_handshake does the rb_setselect */
f030cae8 VY	112	if(ret == 0)
94b4fbf9	113	return;
94b4fbf9	114
f030cae8 VY	115	ad = F->accept;
f030cae8 VY	116	F->accept = NULL;
af6f5d47 WP	117	rb_settimeout(F, 0, NULL, NULL);
af6f5d47 WP	118	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE, NULL, NULL);
f030cae8 VY	119
	120	if(ret > 0)
	121	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
	122	else
	123	ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
94b4fbf9	124
af6f5d47 WP	125	rb_free(ad);
	126	}
	127
	128	void
94b4fbf9	129	rb_ssl_start_accepted(rb_fde_t new_F, ACCB cb, void *data, int timeout)
af6f5d47	130	{
033be687	131	gnutls_session_t *ssl;
af6f5d47	132	new_F->type \|= RB_FD_SSL;
033be687	133	ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
af6f5d47	134	new_F->accept = rb_malloc(sizeof(struct acceptdata));
94b4fbf9	135
af6f5d47 WP	136	new_F->accept->callback = cb;
	137	new_F->accept->data = data;
	138	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
	139
	140	new_F->accept->addrlen = 0;
	141
94b4fbf9	142	gnutls_init(ssl, GNUTLS_SERVER);
033be687 VY	143	gnutls_set_default_priority(*ssl);
	144	gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
	145	gnutls_dh_set_prime_bits(*ssl, 1024);
	146	gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
0a625836	147	gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
033be687	148	if(do_ssl_handshake(new_F, rb_ssl_tryaccept))
af6f5d47	149	{
033be687	150	struct acceptdata *ad = new_F->accept;
af6f5d47	151	new_F->accept = NULL;
94b4fbf9 VY	152	ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
94b4fbf9 VY	153	rb_free(ad);
af6f5d47	154	}
033be687	155
af6f5d47 WP	156	}
af6f5d47 WP	157
033be687 VY	158
	159
	160
af6f5d47	161	void
94b4fbf9	162	rb_ssl_accept_setup(rb_fde_t F, rb_fde_t new_F, struct sockaddr *st, int addrlen)
af6f5d47	163	{
af6f5d47	164	new_F->type \|= RB_FD_SSL;
033be687	165	new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
af6f5d47 WP	166	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	167
	168	new_F->accept->callback = F->accept->callback;
	169	new_F->accept->data = F->accept->data;
	170	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	171	memcpy(&new_F->accept->S, st, addrlen);
	172	new_F->accept->addrlen = addrlen;
	173
94b4fbf9	174	gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
033be687 VY	175	gnutls_set_default_priority(SSL_P(new_F));
	176	gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
	177	gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
4414eb3c	178	gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
0a625836	179	gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
033be687	180	if(do_ssl_handshake(F, rb_ssl_tryaccept))
af6f5d47	181	{
033be687 VY	182	struct acceptdata *ad = F->accept;
033be687 VY	183	F->accept = NULL;
94b4fbf9 VY	184	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
94b4fbf9 VY	185	rb_free(ad);
033be687 VY	186	}
033be687 VY	187	}
af6f5d47	188
af6f5d47	189
af6f5d47	190
af6f5d47 WP	191
af6f5d47 WP	192	static ssize_t
94b4fbf9	193	rb_ssl_read_or_write(int r_or_w, rb_fde_t F, void rbuf, const void *wbuf, size_t count)
af6f5d47 WP	194	{
af6f5d47 WP	195	ssize_t ret;
033be687	196	gnutls_session_t *ssl = F->ssl;
af6f5d47 WP	197
af6f5d47 WP	198	if(r_or_w == 0)
033be687	199	ret = gnutls_record_recv(*ssl, rbuf, count);
af6f5d47	200	else
033be687	201	ret = gnutls_record_send(*ssl, wbuf, count);
af6f5d47 WP	202
	203	if(ret < 0)
	204	{
94b4fbf9	205	switch (ret)
af6f5d47 WP	206	{
af6f5d47 WP	207	case GNUTLS_E_AGAIN:
af6f5d47	208	case GNUTLS_E_INTERRUPTED:
033be687	209	if(rb_ignore_errno(errno))
af6f5d47	210	{
033be687 VY	211	if(gnutls_record_get_direction(*ssl) == 0)
	212	return RB_RW_SSL_NEED_READ;
	213	else
	214	return RB_RW_SSL_NEED_WRITE;
	215	break;
af6f5d47	216	}
af6f5d47	217	default:
033be687 VY	218	F->ssl_errno = ret;
	219	errno = EIO;
	220	return RB_RW_IO_ERROR;
af6f5d47	221	}
af6f5d47 WP	222	}
	223	return ret;
	224	}
	225
	226	ssize_t
94b4fbf9	227	rb_ssl_read(rb_fde_t F, void buf, size_t count)
af6f5d47 WP	228	{
	229	return rb_ssl_read_or_write(0, F, buf, NULL, count);
	230	}
	231
	232	ssize_t
94b4fbf9	233	rb_ssl_write(rb_fde_t F, const void buf, size_t count)
af6f5d47 WP	234	{
	235	return rb_ssl_read_or_write(1, F, NULL, buf, count);
	236	}
	237
033be687 VY	238	static void
	239	rb_gcry_random_seed(void *unused)
	240	{
	241	gcry_fast_random_poll();
	242	}
	243
af6f5d47 WP	244	int
	245	rb_init_ssl(void)
	246	{
af6f5d47	247	gnutls_global_init();
94b4fbf9	248
033be687	249	if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
af6f5d47	250	{
033be687 VY	251	rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
033be687 VY	252	return 0;
af6f5d47	253	}
033be687 VY	254	rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
	255	return 1;
	256	}
af6f5d47	257
033be687	258	static void
94b4fbf9	259	rb_free_datum_t(gnutls_datum_t * d)
033be687 VY	260	{
	261	rb_free(d->data);
	262	rb_free(d);
	263	}
af6f5d47	264
033be687 VY	265	static gnutls_datum_t *
	266	rb_load_file_into_datum_t(const char *file)
	267	{
	268	FILE *f;
	269	gnutls_datum_t *datum;
	270	struct stat fileinfo;
	271	if((f = fopen(file, "r")) == NULL)
	272	return NULL;
	273	if(fstat(fileno(f), &fileinfo))
	274	return NULL;
	275
	276	datum = rb_malloc(sizeof(gnutls_datum_t));
	277
94b4fbf9	278	if(fileinfo.st_size > 131072) /* deal with retards */
033be687 VY	279	datum->size = 131072;
033be687 VY	280	else
94b4fbf9 VY	281	datum->size = fileinfo.st_size;
94b4fbf9 VY	282
033be687 VY	283	datum->data = rb_malloc(datum->size + 1);
	284	fread(datum->data, datum->size, 1, f);
	285	fclose(f);
94b4fbf9	286	return datum;
af6f5d47 WP	287	}
	288
	289	int
	290	rb_setup_ssl_server(const char cert, const char keyfile, const char *dhfile)
	291	{
033be687 VY	292	int ret;
	293	gnutls_datum_t d_cert, d_key;
	294	if(cert == NULL)
	295	{
	296	rb_lib_log("rb_setup_ssl_server: No certificate file");
	297	return 0;
	298	}
af6f5d47	299
033be687	300	if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
af6f5d47	301	{
033be687	302	rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
af6f5d47 WP	303	return 0;
	304	}
	305
033be687 VY	306	if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
	307	{
	308	rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
	309	return 0;
	310	}
94b4fbf9 VY	311
	312
	313	if((ret =
	314	gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
	315	GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
033be687	316	{
94b4fbf9 VY	317	rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
94b4fbf9 VY	318	gnutls_strerror(ret));
033be687 VY	319	return 0;
	320	}
	321	rb_free_datum_t(d_cert);
	322	rb_free_datum_t(d_key);
94b4fbf9	323
033be687 VY	324	if(dhfile != NULL)
	325	{
	326	if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
	327	{
	328	gnutls_datum_t *data;
	329	int xret;
	330	data = rb_load_file_into_datum_t(dhfile);
	331	if(data != NULL)
	332	{
94b4fbf9 VY	333	xret = gnutls_dh_params_import_pkcs3(dh_params, data,
94b4fbf9 VY	334	GNUTLS_X509_FMT_PEM);
033be687	335	if(xret < 0)
94b4fbf9 VY	336	rb_lib_log
	337	("rb_setup_ssl_server: Error parsing DH file: %s\n",
	338	gnutls_strerror(xret));
033be687 VY	339	rb_free_datum_t(data);
	340	}
	341	gnutls_certificate_set_dh_params(x509, dh_params);
94b4fbf9 VY	342	}
94b4fbf9 VY	343	else
033be687 VY	344	rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
033be687 VY	345	}
af6f5d47 WP	346	return 1;
	347	}
	348
	349	int
94b4fbf9	350	rb_ssl_listen(rb_fde_t *F, int backlog)
af6f5d47 WP	351	{
	352	F->type = RB_FD_SOCKET \| RB_FD_LISTEN \| RB_FD_SSL;
	353	return listen(F->fd, backlog);
	354	}
	355
	356	struct ssl_connect
	357	{
	358	CNCB *callback;
	359	void *data;
	360	int timeout;
	361	};
	362
	363	static void
94b4fbf9	364	rb_ssl_connect_realcb(rb_fde_t F, int status, struct ssl_connect sconn)
af6f5d47 WP	365	{
	366	F->connect->callback = sconn->callback;
	367	F->connect->data = sconn->data;
	368	rb_free(sconn);
	369	rb_connect_callback(F, status);
	370	}
	371
	372	static void
94b4fbf9	373	rb_ssl_tryconn_timeout_cb(rb_fde_t F, void data)
af6f5d47 WP	374	{
	375	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
	376	}
	377
	378	static void
94b4fbf9	379	rb_ssl_tryconn_cb(rb_fde_t F, void data)
af6f5d47 WP	380	{
af6f5d47 WP	381	struct ssl_connect *sconn = data;
033be687 VY	382	int ret;
033be687 VY	383
94b4fbf9 VY	384	ret = do_ssl_handshake(F, rb_ssl_tryconn_cb);
	385
	386	switch (ret)
	387	{
	388	case -1:
	389	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	390	break;
	391	case 0:
	392	/* do_ssl_handshake does the rb_setselect stuff */
	393	return;
	394	default:
	395	break;
	396
	397
	398	}
033be687	399	rb_ssl_connect_realcb(F, RB_OK, sconn);
af6f5d47 WP	400	}
	401
	402	static void
94b4fbf9	403	rb_ssl_tryconn(rb_fde_t F, int status, void data)
af6f5d47	404	{
af6f5d47	405	struct ssl_connect *sconn = data;
af6f5d47 WP	406	if(status != RB_OK)
	407	{
	408	rb_ssl_connect_realcb(F, status, sconn);
	409	return;
	410	}
	411
	412	F->type \|= RB_FD_SSL;
	413
94b4fbf9	414
af6f5d47	415	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
033be687	416	F->ssl = rb_malloc(sizeof(gnutls_session_t));
94b4fbf9 VY	417	gnutls_init(F->ssl, GNUTLS_CLIENT);
94b4fbf9 VY	418	gnutls_set_default_priority(SSL_P(F));
033be687 VY	419	gnutls_dh_set_prime_bits(SSL_P(F), 1024);
	420	gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
	421
	422	if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
af6f5d47 WP	423	{
	424	rb_ssl_connect_realcb(F, RB_OK, sconn);
	425	}
	426	}
	427
	428	void
94b4fbf9	429	rb_connect_tcp_ssl(rb_fde_t F, struct sockaddr dest,
af6f5d47 WP	430	struct sockaddr clocal, int socklen, CNCB callback, void *data, int timeout)
	431	{
	432	struct ssl_connect *sconn;
	433	if(F == NULL)
	434	return;
	435
	436	sconn = rb_malloc(sizeof(struct ssl_connect));
	437	sconn->data = data;
	438	sconn->callback = callback;
	439	sconn->timeout = timeout;
	440	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
033be687	441
af6f5d47 WP	442	}
	443
	444	void
94b4fbf9	445	rb_ssl_start_connected(rb_fde_t F, CNCB callback, void *data, int timeout)
af6f5d47	446	{
af6f5d47	447	struct ssl_connect *sconn;
af6f5d47 WP	448	if(F == NULL)
	449	return;
	450
	451	sconn = rb_malloc(sizeof(struct ssl_connect));
	452	sconn->data = data;
	453	sconn->callback = callback;
	454	sconn->timeout = timeout;
	455	F->connect = rb_malloc(sizeof(struct conndata));
	456	F->connect->callback = callback;
	457	F->connect->data = data;
	458	F->type \|= RB_FD_SSL;
033be687	459	F->ssl = rb_malloc(sizeof(gnutls_session_t));
94b4fbf9 VY	460
	461	gnutls_init(F->ssl, GNUTLS_CLIENT);
	462	gnutls_set_default_priority(SSL_P(F));
033be687 VY	463	gnutls_dh_set_prime_bits(SSL_P(F), 1024);
033be687 VY	464	gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
94b4fbf9	465
af6f5d47	466	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
033be687 VY	467
033be687 VY	468	if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
af6f5d47 WP	469	{
	470	rb_ssl_connect_realcb(F, RB_OK, sconn);
	471	}
	472	}
	473
af6f5d47 WP	474	int
	475	rb_init_prng(const char *path, prng_seed_t seed_type)
	476	{
033be687 VY	477	gcry_fast_random_poll();
033be687 VY	478	return 1;
af6f5d47 WP	479	}
	480
	481	int
	482	rb_get_random(void *buf, size_t length)
	483	{
033be687 VY	484	gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
033be687 VY	485	return 1;
af6f5d47 WP	486	}
af6f5d47 WP	487
4414eb3c VY	488	int
	489	rb_get_pseudo_random(void *buf, size_t length)
	490	{
	491	gcry_randomize(buf, length, GCRY_WEAK_RANDOM);
	492	return 1;
	493	}
af6f5d47 WP	494
af6f5d47 WP	495	const char *
94b4fbf9	496	rb_get_ssl_strerror(rb_fde_t *F)
af6f5d47 WP	497	{
	498	return gnutls_strerror(F->ssl_errno);
	499	}
	500
a099270d JT	501	int
	502	rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
	503	{
0a625836 WP	504	gnutls_x509_crt_t cert;
	505	unsigned int cert_list_size;
	506	const gnutls_datum_t *cert_list;
	507	uint8_t digest[RB_SSL_CERTFP_LEN * 2];
	508	size_t digest_size;
	509
	510	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
	511	return 0;
	512
	513	if (gnutls_x509_crt_init(&cert) < 0)
	514	return 0;
	515
	516	cert_list_size = 0;
	517	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
	518	if (cert_list == NULL)
	519	{
	520	gnutls_x509_crt_deinit(cert);
	521	return 0;
	522	}
	523
	524	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
	525	{
	526	gnutls_x509_crt_deinit(cert);
	527	return 0;
	528	}
	529
	530	if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0)
	531	{
	532	gnutls_x509_crt_deinit(cert);
	533	return 0;
	534	}
	535
	536	memcpy(certfp, digest, RB_SSL_CERTFP_LEN);
	537
ed1dc6b3	538	gnutls_x509_crt_deinit(cert);
0a625836	539	return 1;
a099270d JT	540	}
a099270d JT	541
af6f5d47 WP	542	int
	543	rb_supports_ssl(void)
	544	{
	545	return 1;
	546	}
	547
f030cae8 VY	548	void
	549	rb_get_ssl_info(char *buf, size_t len)
	550	{
	551	rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
	552	LIBGNUTLS_VERSION, gnutls_check_version(NULL));
	553	}
	554
	555
af6f5d47	556	#endif /* HAVE_GNUTLS */