[irc/rqf/shadowircd.git] / libratbox / src / openssl.c

/*
 *  libratbox: a library used by ircd-ratbox and other things
 *  openssl.c: openssl related code
 *
 *  Copyright (C) 2007-2008 ircd-ratbox development team
 *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
 *  USA
 *
 *  $Id: commio.c 24808 2008-01-02 08:17:05Z androsyn $
 */

#include <libratbox_config.h>
#include <ratbox_lib.h>

#ifdef HAVE_OPENSSL

#include <commio-int.h>
#include <commio-ssl.h>
#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/rand.h>

static SSL_CTX *ssl_server_ctx;
static SSL_CTX *ssl_client_ctx;
static int libratbox_index = -1;

static unsigned long
get_last_err(void)
{
	unsigned long t_err, err = 0;
	err = ERR_get_error();
	if(err == 0)
		return 0;

	while((t_err = ERR_get_error()) > 0)
		err = t_err;

	return err;
}

void
rb_ssl_shutdown(rb_fde_t *F)
{
	int i;
	if(F == NULL || F->ssl == NULL)
		return;
	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);

	for(i = 0; i < 4; i++)
	{
		if(SSL_shutdown((SSL *) F->ssl))
			break;
	}
	get_last_err();
	SSL_free((SSL *) F->ssl);
}

unsigned int
rb_ssl_handshake_count(rb_fde_t *F)
{
	return F->handshake_count;
}

void
rb_ssl_clear_handshake_count(rb_fde_t *F)
{
	F->handshake_count = 0;
}

static void
rb_ssl_timeout(rb_fde_t *F, void *notused)
{
	lrb_assert(F->accept != NULL);
	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
}


static void
rb_ssl_info_callback(SSL * ssl, int where, int ret)
{
	if(where & SSL_CB_HANDSHAKE_START)
	{
		rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
		if(F == NULL)
			return;
		F->handshake_count++;
	}
}

static void
rb_setup_ssl_cb(rb_fde_t *F)
{
	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
	SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
}

static void
rb_ssl_tryaccept(rb_fde_t *F, void *data)
{
	int ssl_err;
	lrb_assert(F->accept != NULL);
	int flags;
	struct acceptdata *ad;

	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
				if(ssl_err == SSL_ERROR_WANT_WRITE)
					flags = RB_SELECT_WRITE;
				else
					flags = RB_SELECT_READ;
				F->ssl_errno = get_last_err();
				rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
				break;
			case SSL_ERROR_SYSCALL:
				F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
				break;
			default:
				F->ssl_errno = get_last_err();
				F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
				break;
			}
			return;
		}
	}
	rb_settimeout(F, 0, NULL, NULL);
	rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);

	ad = F->accept;
	F->accept = NULL;
	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
	rb_free(ad);

}


static void
rb_ssl_accept_common(rb_fde_t *new_F)
{
	int ssl_err;
	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					new_F->ssl_errno = get_last_err();
					rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryaccept, NULL);
					return;
				}
		default:
			new_F->ssl_errno = get_last_err();
			new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
			return;
		}
	}
	else
	{
		rb_ssl_tryaccept(new_F, NULL);
	}
}

void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = cb;
	new_F->accept->data = data;
	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

	new_F->accept->addrlen = 0;
	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}


void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = F->accept->callback;
	new_F->accept->data = F->accept->data;
	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	memcpy(&new_F->accept->S, st, addrlen);
	new_F->accept->addrlen = addrlen;

	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}

static ssize_t
rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
{
	ssize_t ret;
	unsigned long err;
	SSL *ssl = F->ssl;

	if(r_or_w == 0)
		ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
	else
		ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);

	if(ret < 0)
	{
		switch (SSL_get_error(ssl, ret))
		{
		case SSL_ERROR_WANT_READ:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_READ;
		case SSL_ERROR_WANT_WRITE:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_WRITE;
		case SSL_ERROR_ZERO_RETURN:
			return 0;
		case SSL_ERROR_SYSCALL:
			err = get_last_err();
			if(err == 0)
			{
				F->ssl_errno = 0;
				return RB_RW_IO_ERROR;
			}
			break;
		default:
			err = get_last_err();
			break;
		}
		F->ssl_errno = err;
		if(err > 0)
		{
			errno = EIO;	/* not great but... */
			return RB_RW_SSL_ERROR;
		}
		return RB_RW_IO_ERROR;
	}
	return ret;
}

ssize_t
rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
{
	return rb_ssl_read_or_write(0, F, buf, NULL, count);
}

ssize_t
rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
{
	return rb_ssl_read_or_write(1, F, NULL, buf, count);
}

static int
verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
	return 1;
}

int
rb_init_ssl(void)
{
	int ret = 1;
	char libratbox_data[] = "libratbox data";
	SSL_load_error_strings();
	SSL_library_init();
	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
	if(ssl_server_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		ret = 0;
	}
	/* Disable SSLv2, make the client use our settings */
	SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);

	ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());

	if(ssl_client_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
			   ERR_error_string(ERR_get_error(), NULL));
		ret = 0;
	}
	return ret;
}


int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
{
	DH *dh;
	unsigned long err;
	if(cert == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No certificate file");
		return 0;
	}
	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
			   ERR_error_string(err, NULL));
		return 0;
	}

	if(keyfile == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No key file");
		return 0;
	}


	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
			   ERR_error_string(err, NULL));
		return 0;
	}

	if(dhfile != NULL)
	{
		/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
		BIO *bio = BIO_new_file(dhfile, "r");
		if(bio != NULL)
		{
			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
			if(dh == NULL)
			{
				err = ERR_get_error();
				rb_lib_log
					("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
					 dhfile, ERR_error_string(err, NULL));
				BIO_free(bio);
				return 0;
			}
			BIO_free(bio);
			SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
		}
		else
		{
			err = ERR_get_error();
			rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
				   dhfile, ERR_error_string(err, NULL));
		}
	}
	return 1;
}

int
rb_ssl_listen(rb_fde_t *F, int backlog)
{
	F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
	return listen(F->fd, backlog);
}

struct ssl_connect
{
	CNCB *callback;
	void *data;
	int timeout;
};

static void
rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
{
	F->connect->callback = sconn->callback;
	F->connect->data = sconn->data;
	rb_free(sconn);
	rb_connect_callback(F, status);
}

static void
rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
{
	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
}

static void
rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_SYSCALL:
				if(rb_ignore_errno(errno))
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
					{
						F->ssl_errno = get_last_err();
						rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
							     rb_ssl_tryconn_cb, sconn);
						return;
					}
			default:
				F->ssl_errno = get_last_err();
				rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
				return;
			}
		}
		else
		{
			rb_ssl_connect_realcb(F, RB_OK, sconn);
		}
	}
}

static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(status != RB_OK)
	{
		rb_ssl_connect_realcb(F, status, sconn);
		return;
	}

	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);
	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

void
rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
		   struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);

}

void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	int ssl_err;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	F->connect = rb_malloc(sizeof(struct conndata));
	F->connect->callback = callback;
	F->connect->data = data;
	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);

	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

int
rb_init_prng(const char *path, prng_seed_t seed_type)
{
	if(seed_type == RB_PRNG_DEFAULT)
	{
#ifdef _WIN32
		RAND_screen();
#endif
		return RAND_status();
	}
	if(path == NULL)
		return RAND_status();

	switch (seed_type)
	{
	case RB_PRNG_EGD:
		if(RAND_egd(path) == -1)
			return -1;
		break;
	case RB_PRNG_FILE:
		if(RAND_load_file(path, -1) == -1)
			return -1;
		break;
#ifdef _WIN32
	case RB_PRNGWIN32:
		RAND_screen();
		break;
#endif
	default:
		return -1;
	}

	return RAND_status();
}

int
rb_get_random(void *buf, size_t length)
{
	int ret;

	if((ret = RAND_bytes(buf, length)) == 0)
	{
		/* remove the error from the queue */
		ERR_get_error();
	}
	return ret;
}

int
rb_get_pseudo_random(void *buf, size_t length)
{
	int ret;
	ret = RAND_pseudo_bytes(buf, length);
	if(ret < 0)
		return 0;
	return 1;
}

const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
	return ERR_error_string(F->ssl_errno, NULL);
}

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert != NULL)
	{
		res = SSL_get_verify_result((SSL *) F->ssl);
		if(res == X509_V_OK ||
				res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
				res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
				res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
		{
			memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
			return 1;
		}
	}

	return 0;
}

int
rb_supports_ssl(void)
{
	return 1;
}

void
rb_get_ssl_info(char *buf, size_t len)
{
	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", 
		    SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER, SSLeay());
}


#endif /* HAVE_OPESSL */
Commit	Line	Data
b57f37fb WP	1	/*
	2	* libratbox: a library used by ircd-ratbox and other things
	3	* openssl.c: openssl related code
	4	*
	5	* Copyright (C) 2007-2008 ircd-ratbox development team
	6	* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	21	* USA
	22	*
	23	* $Id: commio.c 24808 2008-01-02 08:17:05Z androsyn $
	24	*/
	25
	26	#include <libratbox_config.h>
	27	#include <ratbox_lib.h>
	28
	29	#ifdef HAVE_OPENSSL
	30
	31	#include <commio-int.h>
	32	#include <commio-ssl.h>
	33	#include <openssl/ssl.h>
	34	#include <openssl/dh.h>
	35	#include <openssl/err.h>
	36	#include <openssl/rand.h>
	37
	38	static SSL_CTX *ssl_server_ctx;
	39	static SSL_CTX *ssl_client_ctx;
033be687	40	static int libratbox_index = -1;
b57f37fb	41
94b4fbf9 VY	42	static unsigned long
94b4fbf9 VY	43	get_last_err(void)
b57f37fb WP	44	{
	45	unsigned long t_err, err = 0;
	46	err = ERR_get_error();
	47	if(err == 0)
	48	return 0;
94b4fbf9	49
b57f37fb WP	50	while((t_err = ERR_get_error()) > 0)
	51	err = t_err;
	52
	53	return err;
	54	}
	55
	56	void
94b4fbf9	57	rb_ssl_shutdown(rb_fde_t *F)
b57f37fb WP	58	{
	59	int i;
	60	if(F == NULL \|\| F->ssl == NULL)
	61	return;
	62	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
	63
94b4fbf9	64	for(i = 0; i < 4; i++)
b57f37fb WP	65	{
	66	if(SSL_shutdown((SSL *) F->ssl))
	67	break;
	68	}
	69	get_last_err();
	70	SSL_free((SSL *) F->ssl);
	71	}
	72
033be687 VY	73	unsigned int
	74	rb_ssl_handshake_count(rb_fde_t *F)
	75	{
	76	return F->handshake_count;
	77	}
	78
	79	void
	80	rb_ssl_clear_handshake_count(rb_fde_t *F)
	81	{
	82	F->handshake_count = 0;
	83	}
	84
b57f37fb	85	static void
94b4fbf9	86	rb_ssl_timeout(rb_fde_t F, void notused)
b57f37fb	87	{
8f40f4bb VY	88	lrb_assert(F->accept != NULL);
8f40f4bb VY	89	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
b57f37fb WP	90	}
	91
	92
94b4fbf9 VY	93	static void
94b4fbf9 VY	94	rb_ssl_info_callback(SSL * ssl, int where, int ret)
033be687 VY	95	{
	96	if(where & SSL_CB_HANDSHAKE_START)
	97	{
	98	rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
	99	if(F == NULL)
	100	return;
	101	F->handshake_count++;
94b4fbf9	102	}
033be687 VY	103	}
	104
	105	static void
	106	rb_setup_ssl_cb(rb_fde_t *F)
	107	{
	108	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
94b4fbf9	109	SSL_set_info_callback((SSL ) F->ssl, (void ()(const SSL *,int,int))rb_ssl_info_callback);
033be687 VY	110	}
033be687 VY	111
b57f37fb	112	static void
94b4fbf9	113	rb_ssl_tryaccept(rb_fde_t F, void data)
b57f37fb WP	114	{
	115	int ssl_err;
	116	lrb_assert(F->accept != NULL);
8f40f4bb	117	int flags;
b68b0b2c	118	struct acceptdata *ad;
b57f37fb WP	119
	120	if(!SSL_is_init_finished((SSL *) F->ssl))
	121	{
	122	if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
	123	{
	124	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	125	{
b57f37fb WP	126	case SSL_ERROR_WANT_READ:
b57f37fb WP	127	case SSL_ERROR_WANT_WRITE:
8f40f4bb VY	128	if(ssl_err == SSL_ERROR_WANT_WRITE)
	129	flags = RB_SELECT_WRITE;
	130	else
	131	flags = RB_SELECT_READ;
	132	F->ssl_errno = get_last_err();
	133	rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
	134	break;
	135	case SSL_ERROR_SYSCALL:
	136	F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
	137	break;
b57f37fb WP	138	default:
	139	F->ssl_errno = get_last_err();
	140	F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
	141	break;
	142	}
	143	return;
	144	}
	145	}
	146	rb_settimeout(F, 0, NULL, NULL);
	147	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE, NULL, NULL);
94b4fbf9	148
b68b0b2c	149	ad = F->accept;
b57f37fb	150	F->accept = NULL;
94b4fbf9	151	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
b68b0b2c	152	rb_free(ad);
b57f37fb WP	153
	154	}
	155
033be687 VY	156
	157	static void
	158	rb_ssl_accept_common(rb_fde_t *new_F)
b57f37fb WP	159	{
b57f37fb WP	160	int ssl_err;
b57f37fb WP	161	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	162	{
	163	switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
	164	{
	165	case SSL_ERROR_SYSCALL:
	166	if(rb_ignore_errno(errno))
	167	case SSL_ERROR_WANT_READ:
	168	case SSL_ERROR_WANT_WRITE:
	169	{
	170	new_F->ssl_errno = get_last_err();
	171	rb_setselect(new_F, RB_SELECT_READ \| RB_SELECT_WRITE,
	172	rb_ssl_tryaccept, NULL);
	173	return;
	174	}
	175	default:
	176	new_F->ssl_errno = get_last_err();
	177	new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
	178	return;
	179	}
	180	}
	181	else
	182	{
	183	rb_ssl_tryaccept(new_F, NULL);
	184	}
	185	}
	186
033be687	187	void
94b4fbf9	188	rb_ssl_start_accepted(rb_fde_t new_F, ACCB cb, void *data, int timeout)
033be687 VY	189	{
	190	new_F->type \|= RB_FD_SSL;
	191	new_F->ssl = SSL_new(ssl_server_ctx);
	192	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	193
	194	new_F->accept->callback = cb;
	195	new_F->accept->data = data;
	196	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
	197
	198	new_F->accept->addrlen = 0;
	199	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	200	rb_setup_ssl_cb(new_F);
	201	rb_ssl_accept_common(new_F);
	202	}
	203
b57f37fb WP	204
	205
	206
	207	void
94b4fbf9	208	rb_ssl_accept_setup(rb_fde_t F, rb_fde_t new_F, struct sockaddr *st, int addrlen)
b57f37fb	209	{
b57f37fb WP	210	new_F->type \|= RB_FD_SSL;
	211	new_F->ssl = SSL_new(ssl_server_ctx);
	212	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	213
	214	new_F->accept->callback = F->accept->callback;
	215	new_F->accept->data = F->accept->data;
	216	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	217	memcpy(&new_F->accept->S, st, addrlen);
	218	new_F->accept->addrlen = addrlen;
	219
4414eb3c	220	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
033be687 VY	221	rb_setup_ssl_cb(new_F);
033be687 VY	222	rb_ssl_accept_common(new_F);
b57f37fb WP	223	}
	224
	225	static ssize_t
94b4fbf9	226	rb_ssl_read_or_write(int r_or_w, rb_fde_t F, void rbuf, const void *wbuf, size_t count)
b57f37fb WP	227	{
	228	ssize_t ret;
	229	unsigned long err;
	230	SSL *ssl = F->ssl;
	231
	232	if(r_or_w == 0)
94b4fbf9	233	ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
b57f37fb	234	else
94b4fbf9	235	ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
b57f37fb WP	236
	237	if(ret < 0)
	238	{
	239	switch (SSL_get_error(ssl, ret))
	240	{
	241	case SSL_ERROR_WANT_READ:
	242	errno = EAGAIN;
	243	return RB_RW_SSL_NEED_READ;
	244	case SSL_ERROR_WANT_WRITE:
	245	errno = EAGAIN;
	246	return RB_RW_SSL_NEED_WRITE;
	247	case SSL_ERROR_ZERO_RETURN:
	248	return 0;
	249	case SSL_ERROR_SYSCALL:
	250	err = get_last_err();
	251	if(err == 0)
	252	{
	253	F->ssl_errno = 0;
	254	return RB_RW_IO_ERROR;
	255	}
	256	break;
	257	default:
	258	err = get_last_err();
	259	break;
	260	}
	261	F->ssl_errno = err;
	262	if(err > 0)
	263	{
	264	errno = EIO; /* not great but... */
	265	return RB_RW_SSL_ERROR;
	266	}
	267	return RB_RW_IO_ERROR;
	268	}
	269	return ret;
	270	}
	271
	272	ssize_t
94b4fbf9	273	rb_ssl_read(rb_fde_t F, void buf, size_t count)
b57f37fb WP	274	{
	275	return rb_ssl_read_or_write(0, F, buf, NULL, count);
	276	}
	277
	278	ssize_t
94b4fbf9	279	rb_ssl_write(rb_fde_t F, const void buf, size_t count)
b57f37fb WP	280	{
	281	return rb_ssl_read_or_write(1, F, NULL, buf, count);
	282	}
	283
a099270d JT	284	static int
	285	verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
	286	{
	287	return 1;
	288	}
	289
b57f37fb WP	290	int
	291	rb_init_ssl(void)
	292	{
	293	int ret = 1;
033be687	294	char libratbox_data[] = "libratbox data";
b57f37fb WP	295	SSL_load_error_strings();
b57f37fb WP	296	SSL_library_init();
033be687	297	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
b57f37fb WP	298	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
	299	if(ssl_server_ctx == NULL)
	300	{
	301	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
	302	ERR_error_string(ERR_get_error(), NULL));
	303	ret = 0;
	304	}
	305	/* Disable SSLv2, make the client use our settings */
	306	SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_CIPHER_SERVER_PREFERENCE);
a099270d	307	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
94b4fbf9	308
b57f37fb WP	309	ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
	310
	311	if(ssl_client_ctx == NULL)
	312	{
	313	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
	314	ERR_error_string(ERR_get_error(), NULL));
	315	ret = 0;
	316	}
	317	return ret;
	318	}
	319
	320
	321	int
	322	rb_setup_ssl_server(const char cert, const char keyfile, const char *dhfile)
	323	{
b57f37fb WP	324	DH *dh;
	325	unsigned long err;
	326	if(cert == NULL)
	327	{
	328	rb_lib_log("rb_setup_ssl_server: No certificate file");
	329	return 0;
	330	}
f030cae8	331	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert))
b57f37fb WP	332	{
	333	err = ERR_get_error();
	334	rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
	335	ERR_error_string(err, NULL));
	336	return 0;
	337	}
	338
	339	if(keyfile == NULL)
	340	{
	341	rb_lib_log("rb_setup_ssl_server: No key file");
	342	return 0;
	343	}
	344
	345
	346	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM))
	347	{
	348	err = ERR_get_error();
	349	rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
	350	ERR_error_string(err, NULL));
	351	return 0;
	352	}
	353
	354	if(dhfile != NULL)
	355	{
	356	/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
94b4fbf9 VY	357	BIO *bio = BIO_new_file(dhfile, "r");
94b4fbf9 VY	358	if(bio != NULL)
b57f37fb	359	{
94b4fbf9	360	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
b57f37fb WP	361	if(dh == NULL)
	362	{
	363	err = ERR_get_error();
	364	rb_lib_log
	365	("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
94b4fbf9 VY	366	dhfile, ERR_error_string(err, NULL));
94b4fbf9 VY	367	BIO_free(bio);
b57f37fb WP	368	return 0;
b57f37fb WP	369	}
94b4fbf9	370	BIO_free(bio);
b57f37fb	371	SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
94b4fbf9 VY	372	}
	373	else
	374	{
	375	err = ERR_get_error();
	376	rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
	377	dhfile, ERR_error_string(err, NULL));
b57f37fb WP	378	}
	379	}
	380	return 1;
	381	}
	382
	383	int
94b4fbf9	384	rb_ssl_listen(rb_fde_t *F, int backlog)
b57f37fb WP	385	{
	386	F->type = RB_FD_SOCKET \| RB_FD_LISTEN \| RB_FD_SSL;
	387	return listen(F->fd, backlog);
	388	}
	389
	390	struct ssl_connect
	391	{
	392	CNCB *callback;
	393	void *data;
	394	int timeout;
	395	};
	396
	397	static void
94b4fbf9	398	rb_ssl_connect_realcb(rb_fde_t F, int status, struct ssl_connect sconn)
b57f37fb WP	399	{
	400	F->connect->callback = sconn->callback;
	401	F->connect->data = sconn->data;
	402	rb_free(sconn);
	403	rb_connect_callback(F, status);
	404	}
	405
	406	static void
94b4fbf9	407	rb_ssl_tryconn_timeout_cb(rb_fde_t F, void data)
b57f37fb WP	408	{
	409	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
	410	}
	411
	412	static void
94b4fbf9	413	rb_ssl_tryconn_cb(rb_fde_t F, void data)
b57f37fb WP	414	{
	415	struct ssl_connect *sconn = data;
	416	int ssl_err;
	417	if(!SSL_is_init_finished((SSL *) F->ssl))
	418	{
	419	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	420	{
	421	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	422	{
	423	case SSL_ERROR_SYSCALL:
	424	if(rb_ignore_errno(errno))
	425	case SSL_ERROR_WANT_READ:
	426	case SSL_ERROR_WANT_WRITE:
	427	{
	428	F->ssl_errno = get_last_err();
	429	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	430	rb_ssl_tryconn_cb, sconn);
	431	return;
	432	}
	433	default:
	434	F->ssl_errno = get_last_err();
	435	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	436	return;
	437	}
	438	}
	439	else
	440	{
	441	rb_ssl_connect_realcb(F, RB_OK, sconn);
	442	}
	443	}
	444	}
	445
	446	static void
94b4fbf9	447	rb_ssl_tryconn(rb_fde_t F, int status, void data)
b57f37fb WP	448	{
	449	struct ssl_connect *sconn = data;
	450	int ssl_err;
	451	if(status != RB_OK)
	452	{
	453	rb_ssl_connect_realcb(F, status, sconn);
	454	return;
	455	}
	456
	457	F->type \|= RB_FD_SSL;
	458	F->ssl = SSL_new(ssl_client_ctx);
	459	SSL_set_fd((SSL *) F->ssl, F->fd);
033be687	460	rb_setup_ssl_cb(F);
b57f37fb WP	461	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	462	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	463	{
	464	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	465	{
	466	case SSL_ERROR_SYSCALL:
	467	if(rb_ignore_errno(errno))
	468	case SSL_ERROR_WANT_READ:
	469	case SSL_ERROR_WANT_WRITE:
	470	{
	471	F->ssl_errno = get_last_err();
	472	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	473	rb_ssl_tryconn_cb, sconn);
	474	return;
	475	}
	476	default:
	477	F->ssl_errno = get_last_err();
	478	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	479	return;
	480	}
	481	}
	482	else
	483	{
	484	rb_ssl_connect_realcb(F, RB_OK, sconn);
	485	}
	486	}
	487
	488	void
94b4fbf9	489	rb_connect_tcp_ssl(rb_fde_t F, struct sockaddr dest,
b57f37fb WP	490	struct sockaddr clocal, int socklen, CNCB callback, void *data, int timeout)
	491	{
	492	struct ssl_connect *sconn;
	493	if(F == NULL)
	494	return;
	495
	496	sconn = rb_malloc(sizeof(struct ssl_connect));
	497	sconn->data = data;
	498	sconn->callback = callback;
	499	sconn->timeout = timeout;
	500	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
	501
	502	}
	503
	504	void
94b4fbf9	505	rb_ssl_start_connected(rb_fde_t F, CNCB callback, void *data, int timeout)
b57f37fb WP	506	{
	507	struct ssl_connect *sconn;
	508	int ssl_err;
	509	if(F == NULL)
	510	return;
	511
	512	sconn = rb_malloc(sizeof(struct ssl_connect));
	513	sconn->data = data;
	514	sconn->callback = callback;
	515	sconn->timeout = timeout;
	516	F->connect = rb_malloc(sizeof(struct conndata));
	517	F->connect->callback = callback;
	518	F->connect->data = data;
	519	F->type \|= RB_FD_SSL;
	520	F->ssl = SSL_new(ssl_client_ctx);
94b4fbf9	521
b57f37fb	522	SSL_set_fd((SSL *) F->ssl, F->fd);
033be687	523	rb_setup_ssl_cb(F);
b57f37fb WP	524	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	525	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	526	{
	527	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	528	{
	529	case SSL_ERROR_SYSCALL:
	530	if(rb_ignore_errno(errno))
	531	case SSL_ERROR_WANT_READ:
	532	case SSL_ERROR_WANT_WRITE:
	533	{
	534	F->ssl_errno = get_last_err();
	535	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	536	rb_ssl_tryconn_cb, sconn);
	537	return;
	538	}
	539	default:
	540	F->ssl_errno = get_last_err();
	541	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	542	return;
	543	}
	544	}
	545	else
	546	{
	547	rb_ssl_connect_realcb(F, RB_OK, sconn);
	548	}
	549	}
	550
	551	int
	552	rb_init_prng(const char *path, prng_seed_t seed_type)
	553	{
	554	if(seed_type == RB_PRNG_DEFAULT)
	555	{
94b4fbf9	556	#ifdef _WIN32
b57f37fb WP	557	RAND_screen();
	558	#endif
	559	return RAND_status();
	560	}
	561	if(path == NULL)
	562	return RAND_status();
	563
	564	switch (seed_type)
	565	{
	566	case RB_PRNG_EGD:
	567	if(RAND_egd(path) == -1)
	568	return -1;
	569	break;
	570	case RB_PRNG_FILE:
	571	if(RAND_load_file(path, -1) == -1)
	572	return -1;
	573	break;
94b4fbf9	574	#ifdef _WIN32
b57f37fb WP	575	case RB_PRNGWIN32:
	576	RAND_screen();
	577	break;
	578	#endif
	579	default:
	580	return -1;
	581	}
	582
	583	return RAND_status();
	584	}
	585
	586	int
	587	rb_get_random(void *buf, size_t length)
	588	{
4414eb3c	589	int ret;
94b4fbf9	590
4414eb3c	591	if((ret = RAND_bytes(buf, length)) == 0)
b57f37fb	592	{
4414eb3c	593	/* remove the error from the queue */
94b4fbf9	594	ERR_get_error();
b57f37fb	595	}
4414eb3c	596	return ret;
b57f37fb WP	597	}
b57f37fb WP	598
4414eb3c VY	599	int
	600	rb_get_pseudo_random(void *buf, size_t length)
	601	{
	602	int ret;
	603	ret = RAND_pseudo_bytes(buf, length);
	604	if(ret < 0)
	605	return 0;
	606	return 1;
	607	}
b57f37fb WP	608
b57f37fb WP	609	const char *
94b4fbf9	610	rb_get_ssl_strerror(rb_fde_t *F)
b57f37fb WP	611	{
	612	return ERR_error_string(F->ssl_errno, NULL);
	613	}
	614
a099270d JT	615	int
	616	rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
	617	{
	618	X509 *cert;
	619	int res;
	620
	621	if (F->ssl == NULL)
	622	return 0;
	623
	624	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	625	if(cert != NULL)
	626	{
	627	res = SSL_get_verify_result((SSL *) F->ssl);
	628	if(res == X509_V_OK \|\|
	629	res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \|\|
	630	res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \|\|
	631	res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
	632	{
	633	memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
	634	return 1;
	635	}
	636	}
	637
	638	return 0;
	639	}
	640
b57f37fb WP	641	int
	642	rb_supports_ssl(void)
	643	{
	644	return 1;
	645	}
	646
f030cae8 VY	647	void
	648	rb_get_ssl_info(char *buf, size_t len)
	649	{
	650	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
	651	SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_NUMBER, SSLeay());
	652	}
	653
	654
b57f37fb	655	#endif /* HAVE_OPESSL */