]>
Commit | Line | Data |
---|---|---|
af6f5d47 WP |
1 | /* |
2 | * libratbox: a library used by ircd-ratbox and other things | |
3 | * gnutls.c: gnutls related code | |
4 | * | |
5 | * Copyright (C) 2007-2008 ircd-ratbox development team | |
6 | * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org> | |
af6f5d47 WP |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
21 | * USA | |
22 | * | |
f030cae8 | 23 | * $Id: gnutls.c 26296 2008-12-13 03:36:00Z androsyn $ |
af6f5d47 WP |
24 | */ |
25 | ||
26 | #include <libratbox_config.h> | |
27 | #include <ratbox_lib.h> | |
af6f5d47 WP |
28 | #include <commio-int.h> |
29 | #include <commio-ssl.h> | |
033be687 VY |
30 | #ifdef HAVE_GNUTLS |
31 | ||
af6f5d47 | 32 | #include <gnutls/gnutls.h> |
0a625836 | 33 | #include <gnutls/x509.h> |
033be687 VY |
34 | #include <gcrypt.h> |
35 | ||
36 | static gnutls_certificate_credentials x509; | |
37 | static gnutls_dh_params dh_params; | |
af6f5d47 | 38 | |
033be687 VY |
39 | |
40 | ||
41 | #define SSL_P(x) *((gnutls_session_t *)F->ssl) | |
af6f5d47 WP |
42 | |
43 | void | |
94b4fbf9 | 44 | rb_ssl_shutdown(rb_fde_t *F) |
af6f5d47 | 45 | { |
033be687 | 46 | int i; |
af6f5d47 WP |
47 | if(F == NULL || F->ssl == NULL) |
48 | return; | |
94b4fbf9 | 49 | for(i = 0; i < 4; i++) |
033be687 VY |
50 | { |
51 | if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS) | |
52 | break; | |
53 | } | |
54 | gnutls_deinit(SSL_P(F)); | |
55 | rb_free(F->ssl); | |
56 | } | |
af6f5d47 | 57 | |
033be687 VY |
58 | unsigned int |
59 | rb_ssl_handshake_count(rb_fde_t *F) | |
60 | { | |
61 | return F->handshake_count; | |
62 | } | |
63 | ||
64 | void | |
65 | rb_ssl_clear_handshake_count(rb_fde_t *F) | |
66 | { | |
67 | F->handshake_count = 0; | |
af6f5d47 WP |
68 | } |
69 | ||
70 | static void | |
94b4fbf9 | 71 | rb_ssl_timeout(rb_fde_t *F, void *notused) |
af6f5d47 WP |
72 | { |
73 | lrb_assert(F->accept != NULL); | |
74 | F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data); | |
75 | } | |
76 | ||
033be687 | 77 | |
94b4fbf9 VY |
78 | static int |
79 | do_ssl_handshake(rb_fde_t *F, PF * callback) | |
033be687 VY |
80 | { |
81 | int ret; | |
94b4fbf9 | 82 | int flags; |
033be687 VY |
83 | |
84 | ret = gnutls_handshake(SSL_P(F)); | |
85 | if(ret < 0) | |
86 | { | |
87 | if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN) | |
88 | { | |
89 | if(gnutls_record_get_direction(SSL_P(F)) == 0) | |
90 | flags = RB_SELECT_READ; | |
91 | else | |
92 | flags = RB_SELECT_WRITE; | |
94b4fbf9 | 93 | rb_setselect(F, flags, callback, NULL); |
033be687 VY |
94 | return 0; |
95 | } | |
96 | F->ssl_errno = ret; | |
97 | return -1; | |
94b4fbf9 VY |
98 | } |
99 | return 1; /* handshake is finished..go about life */ | |
033be687 VY |
100 | } |
101 | ||
af6f5d47 | 102 | static void |
94b4fbf9 | 103 | rb_ssl_tryaccept(rb_fde_t *F, void *data) |
af6f5d47 | 104 | { |
033be687 | 105 | int ret; |
af6f5d47 WP |
106 | struct acceptdata *ad; |
107 | ||
033be687 | 108 | lrb_assert(F->accept != NULL); |
af6f5d47 | 109 | |
033be687 | 110 | ret = do_ssl_handshake(F, rb_ssl_tryaccept); |
94b4fbf9 | 111 | |
f030cae8 VY |
112 | /* do_ssl_handshake does the rb_setselect */ |
113 | if(ret == 0) | |
94b4fbf9 | 114 | return; |
94b4fbf9 | 115 | |
f030cae8 VY |
116 | ad = F->accept; |
117 | F->accept = NULL; | |
af6f5d47 WP |
118 | rb_settimeout(F, 0, NULL, NULL); |
119 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL); | |
f030cae8 VY |
120 | |
121 | if(ret > 0) | |
122 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); | |
123 | else | |
124 | ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data); | |
94b4fbf9 | 125 | |
af6f5d47 WP |
126 | rb_free(ad); |
127 | } | |
128 | ||
129 | void | |
94b4fbf9 | 130 | rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) |
af6f5d47 | 131 | { |
033be687 | 132 | gnutls_session_t *ssl; |
af6f5d47 | 133 | new_F->type |= RB_FD_SSL; |
033be687 | 134 | ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
af6f5d47 | 135 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); |
94b4fbf9 | 136 | |
af6f5d47 WP |
137 | new_F->accept->callback = cb; |
138 | new_F->accept->data = data; | |
139 | rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); | |
140 | ||
141 | new_F->accept->addrlen = 0; | |
142 | ||
94b4fbf9 | 143 | gnutls_init(ssl, GNUTLS_SERVER); |
033be687 VY |
144 | gnutls_set_default_priority(*ssl); |
145 | gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509); | |
146 | gnutls_dh_set_prime_bits(*ssl, 1024); | |
147 | gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd); | |
0a625836 | 148 | gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST); |
033be687 | 149 | if(do_ssl_handshake(new_F, rb_ssl_tryaccept)) |
af6f5d47 | 150 | { |
033be687 | 151 | struct acceptdata *ad = new_F->accept; |
af6f5d47 | 152 | new_F->accept = NULL; |
94b4fbf9 VY |
153 | ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
154 | rb_free(ad); | |
af6f5d47 | 155 | } |
033be687 | 156 | |
af6f5d47 WP |
157 | } |
158 | ||
033be687 VY |
159 | |
160 | ||
161 | ||
af6f5d47 | 162 | void |
94b4fbf9 | 163 | rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) |
af6f5d47 | 164 | { |
af6f5d47 | 165 | new_F->type |= RB_FD_SSL; |
033be687 | 166 | new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
af6f5d47 WP |
167 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); |
168 | ||
169 | new_F->accept->callback = F->accept->callback; | |
170 | new_F->accept->data = F->accept->data; | |
171 | rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); | |
172 | memcpy(&new_F->accept->S, st, addrlen); | |
173 | new_F->accept->addrlen = addrlen; | |
174 | ||
94b4fbf9 | 175 | gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER); |
033be687 VY |
176 | gnutls_set_default_priority(SSL_P(new_F)); |
177 | gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509); | |
178 | gnutls_dh_set_prime_bits(SSL_P(new_F), 1024); | |
4414eb3c | 179 | gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F)); |
0a625836 | 180 | gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST); |
033be687 | 181 | if(do_ssl_handshake(F, rb_ssl_tryaccept)) |
af6f5d47 | 182 | { |
033be687 VY |
183 | struct acceptdata *ad = F->accept; |
184 | F->accept = NULL; | |
94b4fbf9 VY |
185 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
186 | rb_free(ad); | |
033be687 VY |
187 | } |
188 | } | |
af6f5d47 | 189 | |
af6f5d47 | 190 | |
af6f5d47 | 191 | |
af6f5d47 WP |
192 | |
193 | static ssize_t | |
94b4fbf9 | 194 | rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count) |
af6f5d47 WP |
195 | { |
196 | ssize_t ret; | |
033be687 | 197 | gnutls_session_t *ssl = F->ssl; |
af6f5d47 WP |
198 | |
199 | if(r_or_w == 0) | |
033be687 | 200 | ret = gnutls_record_recv(*ssl, rbuf, count); |
af6f5d47 | 201 | else |
033be687 | 202 | ret = gnutls_record_send(*ssl, wbuf, count); |
af6f5d47 WP |
203 | |
204 | if(ret < 0) | |
205 | { | |
94b4fbf9 | 206 | switch (ret) |
af6f5d47 WP |
207 | { |
208 | case GNUTLS_E_AGAIN: | |
af6f5d47 | 209 | case GNUTLS_E_INTERRUPTED: |
033be687 | 210 | if(rb_ignore_errno(errno)) |
af6f5d47 | 211 | { |
033be687 VY |
212 | if(gnutls_record_get_direction(*ssl) == 0) |
213 | return RB_RW_SSL_NEED_READ; | |
214 | else | |
215 | return RB_RW_SSL_NEED_WRITE; | |
216 | break; | |
af6f5d47 | 217 | } |
af6f5d47 | 218 | default: |
033be687 VY |
219 | F->ssl_errno = ret; |
220 | errno = EIO; | |
221 | return RB_RW_IO_ERROR; | |
af6f5d47 | 222 | } |
af6f5d47 WP |
223 | } |
224 | return ret; | |
225 | } | |
226 | ||
227 | ssize_t | |
94b4fbf9 | 228 | rb_ssl_read(rb_fde_t *F, void *buf, size_t count) |
af6f5d47 WP |
229 | { |
230 | return rb_ssl_read_or_write(0, F, buf, NULL, count); | |
231 | } | |
232 | ||
233 | ssize_t | |
94b4fbf9 | 234 | rb_ssl_write(rb_fde_t *F, const void *buf, size_t count) |
af6f5d47 WP |
235 | { |
236 | return rb_ssl_read_or_write(1, F, NULL, buf, count); | |
237 | } | |
238 | ||
033be687 VY |
239 | static void |
240 | rb_gcry_random_seed(void *unused) | |
241 | { | |
242 | gcry_fast_random_poll(); | |
243 | } | |
244 | ||
af6f5d47 WP |
245 | int |
246 | rb_init_ssl(void) | |
247 | { | |
af6f5d47 | 248 | gnutls_global_init(); |
94b4fbf9 | 249 | |
033be687 | 250 | if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS) |
af6f5d47 | 251 | { |
033be687 VY |
252 | rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials"); |
253 | return 0; | |
af6f5d47 | 254 | } |
033be687 VY |
255 | rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300); |
256 | return 1; | |
257 | } | |
af6f5d47 | 258 | |
033be687 | 259 | static void |
94b4fbf9 | 260 | rb_free_datum_t(gnutls_datum_t * d) |
033be687 VY |
261 | { |
262 | rb_free(d->data); | |
263 | rb_free(d); | |
264 | } | |
af6f5d47 | 265 | |
033be687 VY |
266 | static gnutls_datum_t * |
267 | rb_load_file_into_datum_t(const char *file) | |
268 | { | |
269 | FILE *f; | |
270 | gnutls_datum_t *datum; | |
271 | struct stat fileinfo; | |
272 | if((f = fopen(file, "r")) == NULL) | |
273 | return NULL; | |
274 | if(fstat(fileno(f), &fileinfo)) | |
275 | return NULL; | |
276 | ||
277 | datum = rb_malloc(sizeof(gnutls_datum_t)); | |
278 | ||
94b4fbf9 | 279 | if(fileinfo.st_size > 131072) /* deal with retards */ |
033be687 VY |
280 | datum->size = 131072; |
281 | else | |
94b4fbf9 VY |
282 | datum->size = fileinfo.st_size; |
283 | ||
033be687 VY |
284 | datum->data = rb_malloc(datum->size + 1); |
285 | fread(datum->data, datum->size, 1, f); | |
286 | fclose(f); | |
94b4fbf9 | 287 | return datum; |
af6f5d47 WP |
288 | } |
289 | ||
290 | int | |
291 | rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile) | |
292 | { | |
033be687 VY |
293 | int ret; |
294 | gnutls_datum_t *d_cert, *d_key; | |
295 | if(cert == NULL) | |
296 | { | |
297 | rb_lib_log("rb_setup_ssl_server: No certificate file"); | |
298 | return 0; | |
299 | } | |
af6f5d47 | 300 | |
033be687 | 301 | if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) |
af6f5d47 | 302 | { |
033be687 | 303 | rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); |
af6f5d47 WP |
304 | return 0; |
305 | } | |
306 | ||
033be687 VY |
307 | if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) |
308 | { | |
309 | rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); | |
310 | return 0; | |
311 | } | |
94b4fbf9 VY |
312 | |
313 | ||
314 | if((ret = | |
315 | gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, | |
316 | GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) | |
033be687 | 317 | { |
94b4fbf9 VY |
318 | rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", |
319 | gnutls_strerror(ret)); | |
033be687 VY |
320 | return 0; |
321 | } | |
322 | rb_free_datum_t(d_cert); | |
323 | rb_free_datum_t(d_key); | |
94b4fbf9 | 324 | |
033be687 VY |
325 | if(dhfile != NULL) |
326 | { | |
327 | if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) | |
328 | { | |
329 | gnutls_datum_t *data; | |
330 | int xret; | |
331 | data = rb_load_file_into_datum_t(dhfile); | |
332 | if(data != NULL) | |
333 | { | |
94b4fbf9 VY |
334 | xret = gnutls_dh_params_import_pkcs3(dh_params, data, |
335 | GNUTLS_X509_FMT_PEM); | |
033be687 | 336 | if(xret < 0) |
94b4fbf9 VY |
337 | rb_lib_log |
338 | ("rb_setup_ssl_server: Error parsing DH file: %s\n", | |
339 | gnutls_strerror(xret)); | |
033be687 VY |
340 | rb_free_datum_t(data); |
341 | } | |
342 | gnutls_certificate_set_dh_params(x509, dh_params); | |
94b4fbf9 VY |
343 | } |
344 | else | |
033be687 VY |
345 | rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); |
346 | } | |
af6f5d47 WP |
347 | return 1; |
348 | } | |
349 | ||
350 | int | |
94b4fbf9 | 351 | rb_ssl_listen(rb_fde_t *F, int backlog) |
af6f5d47 WP |
352 | { |
353 | F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; | |
354 | return listen(F->fd, backlog); | |
355 | } | |
356 | ||
357 | struct ssl_connect | |
358 | { | |
359 | CNCB *callback; | |
360 | void *data; | |
361 | int timeout; | |
362 | }; | |
363 | ||
364 | static void | |
94b4fbf9 | 365 | rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn) |
af6f5d47 WP |
366 | { |
367 | F->connect->callback = sconn->callback; | |
368 | F->connect->data = sconn->data; | |
369 | rb_free(sconn); | |
370 | rb_connect_callback(F, status); | |
371 | } | |
372 | ||
373 | static void | |
94b4fbf9 | 374 | rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data) |
af6f5d47 WP |
375 | { |
376 | rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data); | |
377 | } | |
378 | ||
379 | static void | |
94b4fbf9 | 380 | rb_ssl_tryconn_cb(rb_fde_t *F, void *data) |
af6f5d47 WP |
381 | { |
382 | struct ssl_connect *sconn = data; | |
033be687 VY |
383 | int ret; |
384 | ||
94b4fbf9 VY |
385 | ret = do_ssl_handshake(F, rb_ssl_tryconn_cb); |
386 | ||
387 | switch (ret) | |
388 | { | |
389 | case -1: | |
390 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
391 | break; | |
392 | case 0: | |
393 | /* do_ssl_handshake does the rb_setselect stuff */ | |
394 | return; | |
395 | default: | |
396 | break; | |
397 | ||
398 | ||
399 | } | |
033be687 | 400 | rb_ssl_connect_realcb(F, RB_OK, sconn); |
af6f5d47 WP |
401 | } |
402 | ||
403 | static void | |
94b4fbf9 | 404 | rb_ssl_tryconn(rb_fde_t *F, int status, void *data) |
af6f5d47 | 405 | { |
af6f5d47 | 406 | struct ssl_connect *sconn = data; |
af6f5d47 WP |
407 | if(status != RB_OK) |
408 | { | |
409 | rb_ssl_connect_realcb(F, status, sconn); | |
410 | return; | |
411 | } | |
412 | ||
413 | F->type |= RB_FD_SSL; | |
414 | ||
94b4fbf9 | 415 | |
af6f5d47 | 416 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
033be687 | 417 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
94b4fbf9 VY |
418 | gnutls_init(F->ssl, GNUTLS_CLIENT); |
419 | gnutls_set_default_priority(SSL_P(F)); | |
033be687 VY |
420 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); |
421 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
422 | ||
423 | if(do_ssl_handshake(F, rb_ssl_tryconn_cb)) | |
af6f5d47 WP |
424 | { |
425 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
426 | } | |
427 | } | |
428 | ||
429 | void | |
94b4fbf9 | 430 | rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest, |
af6f5d47 WP |
431 | struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout) |
432 | { | |
433 | struct ssl_connect *sconn; | |
434 | if(F == NULL) | |
435 | return; | |
436 | ||
437 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
438 | sconn->data = data; | |
439 | sconn->callback = callback; | |
440 | sconn->timeout = timeout; | |
441 | rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout); | |
033be687 | 442 | |
af6f5d47 WP |
443 | } |
444 | ||
445 | void | |
94b4fbf9 | 446 | rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) |
af6f5d47 | 447 | { |
af6f5d47 | 448 | struct ssl_connect *sconn; |
af6f5d47 WP |
449 | if(F == NULL) |
450 | return; | |
451 | ||
452 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
453 | sconn->data = data; | |
454 | sconn->callback = callback; | |
455 | sconn->timeout = timeout; | |
456 | F->connect = rb_malloc(sizeof(struct conndata)); | |
457 | F->connect->callback = callback; | |
458 | F->connect->data = data; | |
459 | F->type |= RB_FD_SSL; | |
033be687 | 460 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); |
94b4fbf9 VY |
461 | |
462 | gnutls_init(F->ssl, GNUTLS_CLIENT); | |
463 | gnutls_set_default_priority(SSL_P(F)); | |
033be687 VY |
464 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); |
465 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
94b4fbf9 | 466 | |
af6f5d47 | 467 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
033be687 VY |
468 | |
469 | if(do_ssl_handshake(F, rb_ssl_tryconn_cb)) | |
af6f5d47 WP |
470 | { |
471 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
472 | } | |
473 | } | |
474 | ||
af6f5d47 WP |
475 | int |
476 | rb_init_prng(const char *path, prng_seed_t seed_type) | |
477 | { | |
033be687 VY |
478 | gcry_fast_random_poll(); |
479 | return 1; | |
af6f5d47 WP |
480 | } |
481 | ||
482 | int | |
483 | rb_get_random(void *buf, size_t length) | |
484 | { | |
033be687 VY |
485 | gcry_randomize(buf, length, GCRY_STRONG_RANDOM); |
486 | return 1; | |
af6f5d47 WP |
487 | } |
488 | ||
4414eb3c VY |
489 | int |
490 | rb_get_pseudo_random(void *buf, size_t length) | |
491 | { | |
492 | gcry_randomize(buf, length, GCRY_WEAK_RANDOM); | |
493 | return 1; | |
494 | } | |
af6f5d47 WP |
495 | |
496 | const char * | |
94b4fbf9 | 497 | rb_get_ssl_strerror(rb_fde_t *F) |
af6f5d47 WP |
498 | { |
499 | return gnutls_strerror(F->ssl_errno); | |
500 | } | |
501 | ||
a099270d JT |
502 | int |
503 | rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]) | |
504 | { | |
0a625836 WP |
505 | gnutls_x509_crt_t cert; |
506 | unsigned int cert_list_size; | |
507 | const gnutls_datum_t *cert_list; | |
508 | uint8_t digest[RB_SSL_CERTFP_LEN * 2]; | |
509 | size_t digest_size; | |
510 | ||
511 | if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) | |
512 | return 0; | |
513 | ||
514 | if (gnutls_x509_crt_init(&cert) < 0) | |
515 | return 0; | |
516 | ||
517 | cert_list_size = 0; | |
518 | cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); | |
519 | if (cert_list == NULL) | |
520 | { | |
521 | gnutls_x509_crt_deinit(cert); | |
522 | return 0; | |
523 | } | |
524 | ||
525 | if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) | |
526 | { | |
527 | gnutls_x509_crt_deinit(cert); | |
528 | return 0; | |
529 | } | |
530 | ||
531 | if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0) | |
532 | { | |
533 | gnutls_x509_crt_deinit(cert); | |
534 | return 0; | |
535 | } | |
536 | ||
537 | memcpy(certfp, digest, RB_SSL_CERTFP_LEN); | |
538 | ||
ed1dc6b3 | 539 | gnutls_x509_crt_deinit(cert); |
0a625836 | 540 | return 1; |
a099270d JT |
541 | } |
542 | ||
af6f5d47 WP |
543 | int |
544 | rb_supports_ssl(void) | |
545 | { | |
546 | return 1; | |
547 | } | |
548 | ||
f030cae8 VY |
549 | void |
550 | rb_get_ssl_info(char *buf, size_t len) | |
551 | { | |
552 | rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)", | |
553 | LIBGNUTLS_VERSION, gnutls_check_version(NULL)); | |
554 | } | |
555 | ||
556 | ||
af6f5d47 | 557 | #endif /* HAVE_GNUTLS */ |