[irc/rqf/shadowircd.git] / libratbox / src / openssl.c

/*
 *  libratbox: a library used by ircd-ratbox and other things
 *  openssl.c: openssl related code
 *
 *  Copyright (C) 2007-2008 ircd-ratbox development team
 *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
 *  USA
 *
 */

#include <libratbox_config.h>
#include <ratbox_lib.h>

#ifdef HAVE_OPENSSL

#include <commio-int.h>
#include <commio-ssl.h>
#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/rand.h>

static SSL_CTX *ssl_server_ctx;
static SSL_CTX *ssl_client_ctx;
static int libratbox_index = -1;

static unsigned long
get_last_err(void)
{
	unsigned long t_err, err = 0;
	err = ERR_get_error();
	if(err == 0)
		return 0;

	while((t_err = ERR_get_error()) > 0)
		err = t_err;

	return err;
}

void
rb_ssl_shutdown(rb_fde_t *F)
{
	int i;
	if(F == NULL || F->ssl == NULL)
		return;
	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);

	for(i = 0; i < 4; i++)
	{
		if(SSL_shutdown((SSL *) F->ssl))
			break;
	}
	get_last_err();
	SSL_free((SSL *) F->ssl);
}

unsigned int
rb_ssl_handshake_count(rb_fde_t *F)
{
	return F->handshake_count;
}

void
rb_ssl_clear_handshake_count(rb_fde_t *F)
{
	F->handshake_count = 0;
}

static void
rb_ssl_timeout(rb_fde_t *F, void *notused)
{
	lrb_assert(F->accept != NULL);
	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
}


static void
rb_ssl_info_callback(SSL * ssl, int where, int ret)
{
	if(where & SSL_CB_HANDSHAKE_START)
	{
		rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
		if(F == NULL)
			return;
		F->handshake_count++;
	}
}

static void
rb_setup_ssl_cb(rb_fde_t *F)
{
	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
	SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
}

static void
rb_ssl_tryaccept(rb_fde_t *F, void *data)
{
	int ssl_err;
	lrb_assert(F->accept != NULL);
	int flags;
	struct acceptdata *ad;

	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
				if(ssl_err == SSL_ERROR_WANT_WRITE)
					flags = RB_SELECT_WRITE;
				else
					flags = RB_SELECT_READ;
				F->ssl_errno = get_last_err();
				rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
				break;
			case SSL_ERROR_SYSCALL:
				F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
				break;
			default:
				F->ssl_errno = get_last_err();
				F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
				break;
			}
			return;
		}
	}
	rb_settimeout(F, 0, NULL, NULL);
	rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);

	ad = F->accept;
	F->accept = NULL;
	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
	rb_free(ad);

}


static void
rb_ssl_accept_common(rb_fde_t *new_F)
{
	int ssl_err;
	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					new_F->ssl_errno = get_last_err();
					rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryaccept, NULL);
					return;
				}
		default:
			new_F->ssl_errno = get_last_err();
			new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
			return;
		}
	}
	else
	{
		rb_ssl_tryaccept(new_F, NULL);
	}
}

void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = cb;
	new_F->accept->data = data;
	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

	new_F->accept->addrlen = 0;
	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}


void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = F->accept->callback;
	new_F->accept->data = F->accept->data;
	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	memcpy(&new_F->accept->S, st, addrlen);
	new_F->accept->addrlen = addrlen;

	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}

static ssize_t
rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
{
	ssize_t ret;
	unsigned long err;
	SSL *ssl = F->ssl;

	if(r_or_w == 0)
		ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
	else
		ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);

	if(ret < 0)
	{
		switch (SSL_get_error(ssl, ret))
		{
		case SSL_ERROR_WANT_READ:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_READ;
		case SSL_ERROR_WANT_WRITE:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_WRITE;
		case SSL_ERROR_ZERO_RETURN:
			return 0;
		case SSL_ERROR_SYSCALL:
			err = get_last_err();
			if(err == 0)
			{
				F->ssl_errno = 0;
				return RB_RW_IO_ERROR;
			}
			break;
		default:
			err = get_last_err();
			break;
		}
		F->ssl_errno = err;
		if(err > 0)
		{
			errno = EIO;	/* not great but... */
			return RB_RW_SSL_ERROR;
		}
		return RB_RW_IO_ERROR;
	}
	return ret;
}

ssize_t
rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
{
	return rb_ssl_read_or_write(0, F, buf, NULL, count);
}

ssize_t
rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
{
	return rb_ssl_read_or_write(1, F, NULL, buf, count);
}

static int
verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
	return 1;
}

static const char *
get_ssl_error(unsigned long err)
{
	static char buf[512];

	ERR_error_string_n(err, buf, sizeof buf);
	return buf;
}

int
rb_init_ssl(void)
{
	int ret = 1;
	char libratbox_data[] = "libratbox data";
	SSL_load_error_strings();
	SSL_library_init();
	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
	if(ssl_server_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
			   get_ssl_error(ERR_get_error()));
		ret = 0;
	}
	/* Disable SSLv2, make the client use our settings */
	SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);

	ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());

	if(ssl_client_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
			   get_ssl_error(ERR_get_error()));
		ret = 0;
	}
	return ret;
}


int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
{
	DH *dh;
	unsigned long err;
	if(cert == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No certificate file");
		return 0;
	}
	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
			   get_ssl_error(err));
		return 0;
	}

	if(keyfile == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No key file");
		return 0;
	}


	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
			   get_ssl_error(err));
		return 0;
	}

	if(dhfile != NULL)
	{
		/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
		BIO *bio = BIO_new_file(dhfile, "r");
		if(bio != NULL)
		{
			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
			if(dh == NULL)
			{
				err = ERR_get_error();
				rb_lib_log
					("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
					 dhfile, get_ssl_error(err));
				BIO_free(bio);
				return 0;
			}
			BIO_free(bio);
			SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
		}
		else
		{
			err = ERR_get_error();
			rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
				   dhfile, get_ssl_error(err));
		}
	}
	return 1;
}

int
rb_ssl_listen(rb_fde_t *F, int backlog)
{
	F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
	return listen(F->fd, backlog);
}

struct ssl_connect
{
	CNCB *callback;
	void *data;
	int timeout;
};

static void
rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
{
	F->connect->callback = sconn->callback;
	F->connect->data = sconn->data;
	rb_free(sconn);
	rb_connect_callback(F, status);
}

static void
rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
{
	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
}

static void
rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_SYSCALL:
				if(rb_ignore_errno(errno))
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
					{
						F->ssl_errno = get_last_err();
						rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
							     rb_ssl_tryconn_cb, sconn);
						return;
					}
			default:
				F->ssl_errno = get_last_err();
				rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
				return;
			}
		}
		else
		{
			rb_ssl_connect_realcb(F, RB_OK, sconn);
		}
	}
}

static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(status != RB_OK)
	{
		rb_ssl_connect_realcb(F, status, sconn);
		return;
	}

	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);
	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

void
rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
		   struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);

}

void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	int ssl_err;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	F->connect = rb_malloc(sizeof(struct conndata));
	F->connect->callback = callback;
	F->connect->data = data;
	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);

	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

int
rb_init_prng(const char *path, prng_seed_t seed_type)
{
	if(seed_type == RB_PRNG_DEFAULT)
	{
#ifdef _WIN32
		RAND_screen();
#endif
		return RAND_status();
	}
	if(path == NULL)
		return RAND_status();

	switch (seed_type)
	{
	case RB_PRNG_EGD:
		if(RAND_egd(path) == -1)
			return -1;
		break;
	case RB_PRNG_FILE:
		if(RAND_load_file(path, -1) == -1)
			return -1;
		break;
#ifdef _WIN32
	case RB_PRNGWIN32:
		RAND_screen();
		break;
#endif
	default:
		return -1;
	}

	return RAND_status();
}

int
rb_get_random(void *buf, size_t length)
{
	int ret;

	if((ret = RAND_bytes(buf, length)) == 0)
	{
		/* remove the error from the queue */
		ERR_get_error();
	}
	return ret;
}

int
rb_get_pseudo_random(void *buf, size_t length)
{
	int ret;
	ret = RAND_pseudo_bytes(buf, length);
	if(ret < 0)
		return 0;
	return 1;
}

const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
	return get_ssl_error(F->ssl_errno);
}

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert != NULL)
	{
		res = SSL_get_verify_result((SSL *) F->ssl);
		if(res == X509_V_OK ||
				res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
				res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
				res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
		{
			memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
			return 1;
		}
		X509_free(cert);
	}

	return 0;
}

int
rb_supports_ssl(void)
{
	return 1;
}

void
rb_get_ssl_info(char *buf, size_t len)
{
	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", 
		    SSLeay_version(SSLEAY_VERSION),
		    (long)OPENSSL_VERSION_NUMBER, SSLeay());
}


#endif /* HAVE_OPESSL */
Commit	Line	Data
b57f37fb WP	1	/*
	2	* libratbox: a library used by ircd-ratbox and other things
	3	* openssl.c: openssl related code
	4	*
	5	* Copyright (C) 2007-2008 ircd-ratbox development team
	6	* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	21	* USA
	22	*
b57f37fb WP	23	*/
	24
	25	#include <libratbox_config.h>
	26	#include <ratbox_lib.h>
	27
	28	#ifdef HAVE_OPENSSL
	29
	30	#include <commio-int.h>
	31	#include <commio-ssl.h>
	32	#include <openssl/ssl.h>
	33	#include <openssl/dh.h>
	34	#include <openssl/err.h>
	35	#include <openssl/rand.h>
	36
	37	static SSL_CTX *ssl_server_ctx;
	38	static SSL_CTX *ssl_client_ctx;
033be687	39	static int libratbox_index = -1;
b57f37fb	40
94b4fbf9 VY	41	static unsigned long
94b4fbf9 VY	42	get_last_err(void)
b57f37fb WP	43	{
	44	unsigned long t_err, err = 0;
	45	err = ERR_get_error();
	46	if(err == 0)
	47	return 0;
94b4fbf9	48
b57f37fb WP	49	while((t_err = ERR_get_error()) > 0)
	50	err = t_err;
	51
	52	return err;
	53	}
	54
	55	void
94b4fbf9	56	rb_ssl_shutdown(rb_fde_t *F)
b57f37fb WP	57	{
	58	int i;
	59	if(F == NULL \|\| F->ssl == NULL)
	60	return;
	61	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
	62
94b4fbf9	63	for(i = 0; i < 4; i++)
b57f37fb WP	64	{
	65	if(SSL_shutdown((SSL *) F->ssl))
	66	break;
	67	}
	68	get_last_err();
	69	SSL_free((SSL *) F->ssl);
	70	}
	71
033be687 VY	72	unsigned int
	73	rb_ssl_handshake_count(rb_fde_t *F)
	74	{
	75	return F->handshake_count;
	76	}
	77
	78	void
	79	rb_ssl_clear_handshake_count(rb_fde_t *F)
	80	{
	81	F->handshake_count = 0;
	82	}
	83
b57f37fb	84	static void
94b4fbf9	85	rb_ssl_timeout(rb_fde_t F, void notused)
b57f37fb	86	{
8f40f4bb VY	87	lrb_assert(F->accept != NULL);
8f40f4bb VY	88	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
b57f37fb WP	89	}
	90
	91
94b4fbf9 VY	92	static void
94b4fbf9 VY	93	rb_ssl_info_callback(SSL * ssl, int where, int ret)
033be687 VY	94	{
	95	if(where & SSL_CB_HANDSHAKE_START)
	96	{
	97	rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
	98	if(F == NULL)
	99	return;
	100	F->handshake_count++;
94b4fbf9	101	}
033be687 VY	102	}
	103
	104	static void
	105	rb_setup_ssl_cb(rb_fde_t *F)
	106	{
	107	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
94b4fbf9	108	SSL_set_info_callback((SSL ) F->ssl, (void ()(const SSL *,int,int))rb_ssl_info_callback);
033be687 VY	109	}
033be687 VY	110
b57f37fb	111	static void
94b4fbf9	112	rb_ssl_tryaccept(rb_fde_t F, void data)
b57f37fb WP	113	{
	114	int ssl_err;
	115	lrb_assert(F->accept != NULL);
8f40f4bb	116	int flags;
b68b0b2c	117	struct acceptdata *ad;
b57f37fb WP	118
	119	if(!SSL_is_init_finished((SSL *) F->ssl))
	120	{
	121	if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
	122	{
	123	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	124	{
b57f37fb WP	125	case SSL_ERROR_WANT_READ:
b57f37fb WP	126	case SSL_ERROR_WANT_WRITE:
8f40f4bb VY	127	if(ssl_err == SSL_ERROR_WANT_WRITE)
	128	flags = RB_SELECT_WRITE;
	129	else
	130	flags = RB_SELECT_READ;
	131	F->ssl_errno = get_last_err();
	132	rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
	133	break;
	134	case SSL_ERROR_SYSCALL:
	135	F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
	136	break;
b57f37fb WP	137	default:
	138	F->ssl_errno = get_last_err();
	139	F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
	140	break;
	141	}
	142	return;
	143	}
	144	}
	145	rb_settimeout(F, 0, NULL, NULL);
	146	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE, NULL, NULL);
94b4fbf9	147
b68b0b2c	148	ad = F->accept;
b57f37fb	149	F->accept = NULL;
94b4fbf9	150	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
b68b0b2c	151	rb_free(ad);
b57f37fb WP	152
	153	}
	154
033be687 VY	155
	156	static void
	157	rb_ssl_accept_common(rb_fde_t *new_F)
b57f37fb WP	158	{
b57f37fb WP	159	int ssl_err;
b57f37fb WP	160	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	161	{
	162	switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
	163	{
	164	case SSL_ERROR_SYSCALL:
	165	if(rb_ignore_errno(errno))
	166	case SSL_ERROR_WANT_READ:
	167	case SSL_ERROR_WANT_WRITE:
	168	{
	169	new_F->ssl_errno = get_last_err();
	170	rb_setselect(new_F, RB_SELECT_READ \| RB_SELECT_WRITE,
	171	rb_ssl_tryaccept, NULL);
	172	return;
	173	}
	174	default:
	175	new_F->ssl_errno = get_last_err();
	176	new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
	177	return;
	178	}
	179	}
	180	else
	181	{
	182	rb_ssl_tryaccept(new_F, NULL);
	183	}
	184	}
	185
033be687	186	void
94b4fbf9	187	rb_ssl_start_accepted(rb_fde_t new_F, ACCB cb, void *data, int timeout)
033be687 VY	188	{
	189	new_F->type \|= RB_FD_SSL;
	190	new_F->ssl = SSL_new(ssl_server_ctx);
	191	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	192
	193	new_F->accept->callback = cb;
	194	new_F->accept->data = data;
	195	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
	196
	197	new_F->accept->addrlen = 0;
	198	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	199	rb_setup_ssl_cb(new_F);
	200	rb_ssl_accept_common(new_F);
	201	}
	202
b57f37fb WP	203
	204
	205
	206	void
94b4fbf9	207	rb_ssl_accept_setup(rb_fde_t F, rb_fde_t new_F, struct sockaddr *st, int addrlen)
b57f37fb	208	{
b57f37fb WP	209	new_F->type \|= RB_FD_SSL;
	210	new_F->ssl = SSL_new(ssl_server_ctx);
	211	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	212
	213	new_F->accept->callback = F->accept->callback;
	214	new_F->accept->data = F->accept->data;
	215	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	216	memcpy(&new_F->accept->S, st, addrlen);
	217	new_F->accept->addrlen = addrlen;
	218
4414eb3c	219	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
033be687 VY	220	rb_setup_ssl_cb(new_F);
033be687 VY	221	rb_ssl_accept_common(new_F);
b57f37fb WP	222	}
	223
	224	static ssize_t
94b4fbf9	225	rb_ssl_read_or_write(int r_or_w, rb_fde_t F, void rbuf, const void *wbuf, size_t count)
b57f37fb WP	226	{
	227	ssize_t ret;
	228	unsigned long err;
	229	SSL *ssl = F->ssl;
	230
	231	if(r_or_w == 0)
94b4fbf9	232	ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
b57f37fb	233	else
94b4fbf9	234	ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
b57f37fb WP	235
	236	if(ret < 0)
	237	{
	238	switch (SSL_get_error(ssl, ret))
	239	{
	240	case SSL_ERROR_WANT_READ:
	241	errno = EAGAIN;
	242	return RB_RW_SSL_NEED_READ;
	243	case SSL_ERROR_WANT_WRITE:
	244	errno = EAGAIN;
	245	return RB_RW_SSL_NEED_WRITE;
	246	case SSL_ERROR_ZERO_RETURN:
	247	return 0;
	248	case SSL_ERROR_SYSCALL:
	249	err = get_last_err();
	250	if(err == 0)
	251	{
	252	F->ssl_errno = 0;
	253	return RB_RW_IO_ERROR;
	254	}
	255	break;
	256	default:
	257	err = get_last_err();
	258	break;
	259	}
	260	F->ssl_errno = err;
	261	if(err > 0)
	262	{
	263	errno = EIO; /* not great but... */
	264	return RB_RW_SSL_ERROR;
	265	}
	266	return RB_RW_IO_ERROR;
	267	}
	268	return ret;
	269	}
	270
	271	ssize_t
94b4fbf9	272	rb_ssl_read(rb_fde_t F, void buf, size_t count)
b57f37fb WP	273	{
	274	return rb_ssl_read_or_write(0, F, buf, NULL, count);
	275	}
	276
	277	ssize_t
94b4fbf9	278	rb_ssl_write(rb_fde_t F, const void buf, size_t count)
b57f37fb WP	279	{
	280	return rb_ssl_read_or_write(1, F, NULL, buf, count);
	281	}
	282
a099270d JT	283	static int
	284	verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
	285	{
	286	return 1;
	287	}
	288
57fe1cf1 JT	289	static const char *
	290	get_ssl_error(unsigned long err)
	291	{
	292	static char buf[512];
	293
	294	ERR_error_string_n(err, buf, sizeof buf);
	295	return buf;
	296	}
	297
b57f37fb WP	298	int
	299	rb_init_ssl(void)
	300	{
	301	int ret = 1;
033be687	302	char libratbox_data[] = "libratbox data";
b57f37fb WP	303	SSL_load_error_strings();
b57f37fb WP	304	SSL_library_init();
033be687	305	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
b57f37fb WP	306	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
	307	if(ssl_server_ctx == NULL)
	308	{
	309	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
57fe1cf1	310	get_ssl_error(ERR_get_error()));
b57f37fb WP	311	ret = 0;
	312	}
	313	/* Disable SSLv2, make the client use our settings */
	314	SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_CIPHER_SERVER_PREFERENCE);
a099270d	315	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
94b4fbf9	316
b57f37fb WP	317	ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
	318
	319	if(ssl_client_ctx == NULL)
	320	{
	321	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
57fe1cf1	322	get_ssl_error(ERR_get_error()));
b57f37fb WP	323	ret = 0;
	324	}
	325	return ret;
	326	}
	327
	328
	329	int
	330	rb_setup_ssl_server(const char cert, const char keyfile, const char *dhfile)
	331	{
b57f37fb WP	332	DH *dh;
	333	unsigned long err;
	334	if(cert == NULL)
	335	{
	336	rb_lib_log("rb_setup_ssl_server: No certificate file");
	337	return 0;
	338	}
6ec1ddab	339	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) \|\| !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
b57f37fb WP	340	{
	341	err = ERR_get_error();
	342	rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
57fe1cf1	343	get_ssl_error(err));
b57f37fb WP	344	return 0;
	345	}
	346
	347	if(keyfile == NULL)
	348	{
	349	rb_lib_log("rb_setup_ssl_server: No key file");
	350	return 0;
	351	}
	352
	353
6ec1ddab	354	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) \|\| !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
b57f37fb WP	355	{
	356	err = ERR_get_error();
	357	rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
57fe1cf1	358	get_ssl_error(err));
b57f37fb WP	359	return 0;
	360	}
	361
	362	if(dhfile != NULL)
	363	{
	364	/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
94b4fbf9 VY	365	BIO *bio = BIO_new_file(dhfile, "r");
94b4fbf9 VY	366	if(bio != NULL)
b57f37fb	367	{
94b4fbf9	368	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
b57f37fb WP	369	if(dh == NULL)
	370	{
	371	err = ERR_get_error();
	372	rb_lib_log
	373	("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
57fe1cf1	374	dhfile, get_ssl_error(err));
94b4fbf9	375	BIO_free(bio);
b57f37fb WP	376	return 0;
b57f37fb WP	377	}
94b4fbf9	378	BIO_free(bio);
b57f37fb	379	SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
94b4fbf9 VY	380	}
	381	else
	382	{
	383	err = ERR_get_error();
	384	rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
57fe1cf1	385	dhfile, get_ssl_error(err));
b57f37fb WP	386	}
	387	}
	388	return 1;
	389	}
	390
	391	int
94b4fbf9	392	rb_ssl_listen(rb_fde_t *F, int backlog)
b57f37fb WP	393	{
	394	F->type = RB_FD_SOCKET \| RB_FD_LISTEN \| RB_FD_SSL;
	395	return listen(F->fd, backlog);
	396	}
	397
	398	struct ssl_connect
	399	{
	400	CNCB *callback;
	401	void *data;
	402	int timeout;
	403	};
	404
	405	static void
94b4fbf9	406	rb_ssl_connect_realcb(rb_fde_t F, int status, struct ssl_connect sconn)
b57f37fb WP	407	{
	408	F->connect->callback = sconn->callback;
	409	F->connect->data = sconn->data;
	410	rb_free(sconn);
	411	rb_connect_callback(F, status);
	412	}
	413
	414	static void
94b4fbf9	415	rb_ssl_tryconn_timeout_cb(rb_fde_t F, void data)
b57f37fb WP	416	{
	417	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
	418	}
	419
	420	static void
94b4fbf9	421	rb_ssl_tryconn_cb(rb_fde_t F, void data)
b57f37fb WP	422	{
	423	struct ssl_connect *sconn = data;
	424	int ssl_err;
	425	if(!SSL_is_init_finished((SSL *) F->ssl))
	426	{
	427	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	428	{
	429	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	430	{
	431	case SSL_ERROR_SYSCALL:
	432	if(rb_ignore_errno(errno))
	433	case SSL_ERROR_WANT_READ:
	434	case SSL_ERROR_WANT_WRITE:
	435	{
	436	F->ssl_errno = get_last_err();
	437	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	438	rb_ssl_tryconn_cb, sconn);
	439	return;
	440	}
	441	default:
	442	F->ssl_errno = get_last_err();
	443	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	444	return;
	445	}
	446	}
	447	else
	448	{
	449	rb_ssl_connect_realcb(F, RB_OK, sconn);
	450	}
	451	}
	452	}
	453
	454	static void
94b4fbf9	455	rb_ssl_tryconn(rb_fde_t F, int status, void data)
b57f37fb WP	456	{
	457	struct ssl_connect *sconn = data;
	458	int ssl_err;
	459	if(status != RB_OK)
	460	{
	461	rb_ssl_connect_realcb(F, status, sconn);
	462	return;
	463	}
	464
	465	F->type \|= RB_FD_SSL;
	466	F->ssl = SSL_new(ssl_client_ctx);
	467	SSL_set_fd((SSL *) F->ssl, F->fd);
033be687	468	rb_setup_ssl_cb(F);
b57f37fb WP	469	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	470	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	471	{
	472	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	473	{
	474	case SSL_ERROR_SYSCALL:
	475	if(rb_ignore_errno(errno))
	476	case SSL_ERROR_WANT_READ:
	477	case SSL_ERROR_WANT_WRITE:
	478	{
	479	F->ssl_errno = get_last_err();
	480	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	481	rb_ssl_tryconn_cb, sconn);
	482	return;
	483	}
	484	default:
	485	F->ssl_errno = get_last_err();
	486	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	487	return;
	488	}
	489	}
	490	else
	491	{
	492	rb_ssl_connect_realcb(F, RB_OK, sconn);
	493	}
	494	}
	495
	496	void
94b4fbf9	497	rb_connect_tcp_ssl(rb_fde_t F, struct sockaddr dest,
b57f37fb WP	498	struct sockaddr clocal, int socklen, CNCB callback, void *data, int timeout)
	499	{
	500	struct ssl_connect *sconn;
	501	if(F == NULL)
	502	return;
	503
	504	sconn = rb_malloc(sizeof(struct ssl_connect));
	505	sconn->data = data;
	506	sconn->callback = callback;
	507	sconn->timeout = timeout;
	508	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
	509
	510	}
	511
	512	void
94b4fbf9	513	rb_ssl_start_connected(rb_fde_t F, CNCB callback, void *data, int timeout)
b57f37fb WP	514	{
	515	struct ssl_connect *sconn;
	516	int ssl_err;
	517	if(F == NULL)
	518	return;
	519
	520	sconn = rb_malloc(sizeof(struct ssl_connect));
	521	sconn->data = data;
	522	sconn->callback = callback;
	523	sconn->timeout = timeout;
	524	F->connect = rb_malloc(sizeof(struct conndata));
	525	F->connect->callback = callback;
	526	F->connect->data = data;
	527	F->type \|= RB_FD_SSL;
	528	F->ssl = SSL_new(ssl_client_ctx);
94b4fbf9	529
b57f37fb	530	SSL_set_fd((SSL *) F->ssl, F->fd);
033be687	531	rb_setup_ssl_cb(F);
b57f37fb WP	532	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	533	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	534	{
	535	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	536	{
	537	case SSL_ERROR_SYSCALL:
	538	if(rb_ignore_errno(errno))
	539	case SSL_ERROR_WANT_READ:
	540	case SSL_ERROR_WANT_WRITE:
	541	{
	542	F->ssl_errno = get_last_err();
	543	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	544	rb_ssl_tryconn_cb, sconn);
	545	return;
	546	}
	547	default:
	548	F->ssl_errno = get_last_err();
	549	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	550	return;
	551	}
	552	}
	553	else
	554	{
	555	rb_ssl_connect_realcb(F, RB_OK, sconn);
	556	}
	557	}
	558
	559	int
	560	rb_init_prng(const char *path, prng_seed_t seed_type)
	561	{
	562	if(seed_type == RB_PRNG_DEFAULT)
	563	{
94b4fbf9	564	#ifdef _WIN32
b57f37fb WP	565	RAND_screen();
	566	#endif
	567	return RAND_status();
	568	}
	569	if(path == NULL)
	570	return RAND_status();
	571
	572	switch (seed_type)
	573	{
	574	case RB_PRNG_EGD:
	575	if(RAND_egd(path) == -1)
	576	return -1;
	577	break;
	578	case RB_PRNG_FILE:
	579	if(RAND_load_file(path, -1) == -1)
	580	return -1;
	581	break;
94b4fbf9	582	#ifdef _WIN32
b57f37fb WP	583	case RB_PRNGWIN32:
	584	RAND_screen();
	585	break;
	586	#endif
	587	default:
	588	return -1;
	589	}
	590
	591	return RAND_status();
	592	}
	593
	594	int
	595	rb_get_random(void *buf, size_t length)
	596	{
4414eb3c	597	int ret;
94b4fbf9	598
4414eb3c	599	if((ret = RAND_bytes(buf, length)) == 0)
b57f37fb	600	{
4414eb3c	601	/* remove the error from the queue */
94b4fbf9	602	ERR_get_error();
b57f37fb	603	}
4414eb3c	604	return ret;
b57f37fb WP	605	}
b57f37fb WP	606
4414eb3c VY	607	int
	608	rb_get_pseudo_random(void *buf, size_t length)
	609	{
	610	int ret;
	611	ret = RAND_pseudo_bytes(buf, length);
	612	if(ret < 0)
	613	return 0;
	614	return 1;
	615	}
b57f37fb WP	616
b57f37fb WP	617	const char *
94b4fbf9	618	rb_get_ssl_strerror(rb_fde_t *F)
b57f37fb	619	{
57fe1cf1	620	return get_ssl_error(F->ssl_errno);
b57f37fb WP	621	}
b57f37fb WP	622
a099270d JT	623	int
	624	rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
	625	{
	626	X509 *cert;
	627	int res;
	628
	629	if (F->ssl == NULL)
	630	return 0;
	631
	632	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	633	if(cert != NULL)
	634	{
	635	res = SSL_get_verify_result((SSL *) F->ssl);
	636	if(res == X509_V_OK \|\|
	637	res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \|\|
	638	res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \|\|
	639	res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
	640	{
	641	memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
	642	return 1;
	643	}
6af7e4fa	644	X509_free(cert);
a099270d JT	645	}
	646
	647	return 0;
	648	}
	649
b57f37fb WP	650	int
	651	rb_supports_ssl(void)
	652	{
	653	return 1;
	654	}
	655
f030cae8 VY	656	void
	657	rb_get_ssl_info(char *buf, size_t len)
	658	{
	659	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
8d5df4cb JT	660	SSLeay_version(SSLEAY_VERSION),
8d5df4cb JT	661	(long)OPENSSL_VERSION_NUMBER, SSLeay());
f030cae8 VY	662	}
	663
	664
b57f37fb	665	#endif /* HAVE_OPESSL */