libratbox/src/gnutls.c

   1 /*
   2  *  libratbox: a library used by ircd-ratbox and other things
   3  *  gnutls.c: gnutls related code
   4  *
   5  *  Copyright (C) 2007-2008 ircd-ratbox development team
   6  *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License
  19  *  along with this program; if not, write to the Free Software
  20  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
  21  *  USA
  22  *
  23  *  $Id: gnutls.c 26296 2008-12-13 03:36:00Z androsyn $
  24  */
  25
  26 #include <libratbox_config.h>
  27 #include <ratbox_lib.h>
  28 #include <commio-int.h>
  29 #include <commio-ssl.h>
  30 #ifdef HAVE_GNUTLS
  31
  32 #include <gnutls/gnutls.h>
  33 #include <gnutls/x509.h>
  34 #include <gcrypt.h>
  35
  36 static gnutls_certificate_credentials x509;
  37 static gnutls_dh_params dh_params;
  38
  39
  40
  41 #define SSL_P(x) *((gnutls_session_t *)F->ssl)
  42
  43 void
  44 rb_ssl_shutdown(rb_fde_t *F)
  45 {
  46         int i;
  47         if(F == NULL || F->ssl == NULL)
  48                 return;
  49         for(i = 0; i < 4; i++)
  50         {
  51                 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
  52                         break;
  53         }
  54         gnutls_deinit(SSL_P(F));
  55         rb_free(F->ssl);
  56 }
  57
  58 unsigned int
  59 rb_ssl_handshake_count(rb_fde_t *F)
  60 {
  61         return F->handshake_count;
  62 }
  63
  64 void
  65 rb_ssl_clear_handshake_count(rb_fde_t *F)
  66 {
  67         F->handshake_count = 0;
  68 }
  69
  70 static void
  71 rb_ssl_timeout(rb_fde_t *F, void *notused)
  72 {
  73         lrb_assert(F->accept != NULL);
  74         F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
  75 }
  76
  77
  78 static int
  79 do_ssl_handshake(rb_fde_t *F, PF * callback)
  80 {
  81         int ret;
  82         int flags;
  83
  84         ret = gnutls_handshake(SSL_P(F));
  85         if(ret < 0)
  86         {
  87                 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
  88                 {
  89                         if(gnutls_record_get_direction(SSL_P(F)) == 0)
  90                                 flags = RB_SELECT_READ;
  91                         else
  92                                 flags = RB_SELECT_WRITE;
  93                         rb_setselect(F, flags, callback, NULL);
  94                         return 0;
  95                 }
  96                 F->ssl_errno = ret;
  97                 return -1;
  98         }
  99         return 1;               /* handshake is finished..go about life */
 100 }
 101
 102 static void
 103 rb_ssl_tryaccept(rb_fde_t *F, void *data)
 104 {
 105         int ret;
 106         struct acceptdata *ad;
 107
 108         lrb_assert(F->accept != NULL);
 109
 110         ret = do_ssl_handshake(F, rb_ssl_tryaccept);
 111
 112         /* do_ssl_handshake does the rb_setselect */
 113         if(ret == 0)
 114                 return;
 115
 116         ad = F->accept;
 117         F->accept = NULL;
 118         rb_settimeout(F, 0, NULL, NULL);
 119         rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
 120
 121         if(ret > 0)
 122                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 123         else
 124                 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
 125
 126         rb_free(ad);
 127 }
 128
 129 void
 130 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
 131 {
 132         gnutls_session_t *ssl;
 133         new_F->type |= RB_FD_SSL;
 134         ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 135         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 136
 137         new_F->accept->callback = cb;
 138         new_F->accept->data = data;
 139         rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
 140
 141         new_F->accept->addrlen = 0;
 142
 143         gnutls_init(ssl, GNUTLS_SERVER);
 144         gnutls_set_default_priority(*ssl);
 145         gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
 146         gnutls_dh_set_prime_bits(*ssl, 1024);
 147         gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
 148         gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
 149         if(do_ssl_handshake(new_F, rb_ssl_tryaccept))
 150         {
 151                 struct acceptdata *ad = new_F->accept;
 152                 new_F->accept = NULL;
 153                 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 154                 rb_free(ad);
 155         }
 156
 157 }
 158
 159
 160
 161
 162 void
 163 rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
 164 {
 165         new_F->type |= RB_FD_SSL;
 166         new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 167         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 168
 169         new_F->accept->callback = F->accept->callback;
 170         new_F->accept->data = F->accept->data;
 171         rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
 172         memcpy(&new_F->accept->S, st, addrlen);
 173         new_F->accept->addrlen = addrlen;
 174
 175         gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
 176         gnutls_set_default_priority(SSL_P(new_F));
 177         gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
 178         gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
 179         gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
 180         gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
 181         if(do_ssl_handshake(F, rb_ssl_tryaccept))
 182         {
 183                 struct acceptdata *ad = F->accept;
 184                 F->accept = NULL;
 185                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 186                 rb_free(ad);
 187         }
 188 }
 189
 190
 191
 192
 193 static ssize_t
 194 rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
 195 {
 196         ssize_t ret;
 197         gnutls_session_t *ssl = F->ssl;
 198
 199         if(r_or_w == 0)
 200                 ret = gnutls_record_recv(*ssl, rbuf, count);
 201         else
 202                 ret = gnutls_record_send(*ssl, wbuf, count);
 203
 204         if(ret < 0)
 205         {
 206                 switch (ret)
 207                 {
 208                 case GNUTLS_E_AGAIN:
 209                 case GNUTLS_E_INTERRUPTED:
 210                         if(rb_ignore_errno(errno))
 211                         {
 212                                 if(gnutls_record_get_direction(*ssl) == 0)
 213                                         return RB_RW_SSL_NEED_READ;
 214                                 else
 215                                         return RB_RW_SSL_NEED_WRITE;
 216                                 break;
 217                         }
 218                 default:
 219                         F->ssl_errno = ret;
 220                         errno = EIO;
 221                         return RB_RW_IO_ERROR;
 222                 }
 223         }
 224         return ret;
 225 }
 226
 227 ssize_t
 228 rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
 229 {
 230         return rb_ssl_read_or_write(0, F, buf, NULL, count);
 231 }
 232
 233 ssize_t
 234 rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
 235 {
 236         return rb_ssl_read_or_write(1, F, NULL, buf, count);
 237 }
 238
 239 static void
 240 rb_gcry_random_seed(void *unused)
 241 {
 242         gcry_fast_random_poll();
 243 }
 244
 245 int
 246 rb_init_ssl(void)
 247 {
 248         gnutls_global_init();
 249
 250         if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
 251         {
 252                 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
 253                 return 0;
 254         }
 255         rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
 256         return 1;
 257 }
 258
 259 static void
 260 rb_free_datum_t(gnutls_datum_t * d)
 261 {
 262         rb_free(d->data);
 263         rb_free(d);
 264 }
 265
 266 static gnutls_datum_t *
 267 rb_load_file_into_datum_t(const char *file)
 268 {
 269         FILE *f;
 270         gnutls_datum_t *datum;
 271         struct stat fileinfo;
 272         if((f = fopen(file, "r")) == NULL)
 273                 return NULL;
 274         if(fstat(fileno(f), &fileinfo))
 275                 return NULL;
 276
 277         datum = rb_malloc(sizeof(gnutls_datum_t));
 278
 279         if(fileinfo.st_size > 131072)   /* deal with retards */
 280                 datum->size = 131072;
 281         else
 282                 datum->size = fileinfo.st_size;
 283
 284         datum->data = rb_malloc(datum->size + 1);
 285         fread(datum->data, datum->size, 1, f);
 286         fclose(f);
 287         return datum;
 288 }
 289
 290 int
 291 rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
 292 {
 293         int ret;
 294         gnutls_datum_t *d_cert, *d_key;
 295         if(cert == NULL)
 296         {
 297                 rb_lib_log("rb_setup_ssl_server: No certificate file");
 298                 return 0;
 299         }
 300
 301         if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
 302         {
 303                 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
 304                 return 0;
 305         }
 306
 307         if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
 308         {
 309                 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
 310                 return 0;
 311         }
 312
 313
 314         if((ret =
 315             gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
 316                                                 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
 317         {
 318                 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
 319                            gnutls_strerror(ret));
 320                 return 0;
 321         }
 322         rb_free_datum_t(d_cert);
 323         rb_free_datum_t(d_key);
 324
 325         if(dhfile != NULL)
 326         {
 327                 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
 328                 {
 329                         gnutls_datum_t *data;
 330                         int xret;
 331                         data = rb_load_file_into_datum_t(dhfile);
 332                         if(data != NULL)
 333                         {
 334                                 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
 335                                                                      GNUTLS_X509_FMT_PEM);
 336                                 if(xret < 0)
 337                                         rb_lib_log
 338                                                 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
 339                                                  gnutls_strerror(xret));
 340                                 rb_free_datum_t(data);
 341                         }
 342                         gnutls_certificate_set_dh_params(x509, dh_params);
 343                 }
 344                 else
 345                         rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
 346         }
 347         return 1;
 348 }
 349
 350 int
 351 rb_ssl_listen(rb_fde_t *F, int backlog)
 352 {
 353         F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
 354         return listen(F->fd, backlog);
 355 }
 356
 357 struct ssl_connect
 358 {
 359         CNCB *callback;
 360         void *data;
 361         int timeout;
 362 };
 363
 364 static void
 365 rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
 366 {
 367         F->connect->callback = sconn->callback;
 368         F->connect->data = sconn->data;
 369         rb_free(sconn);
 370         rb_connect_callback(F, status);
 371 }
 372
 373 static void
 374 rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
 375 {
 376         rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
 377 }
 378
 379 static void
 380 rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
 381 {
 382         struct ssl_connect *sconn = data;
 383         int ret;
 384
 385         ret = do_ssl_handshake(F, rb_ssl_tryconn_cb);
 386
 387         switch (ret)
 388         {
 389         case -1:
 390                 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
 391                 break;
 392         case 0:
 393                 /* do_ssl_handshake does the rb_setselect stuff */
 394                 return;
 395         default:
 396                 break;
 397
 398
 399         }
 400         rb_ssl_connect_realcb(F, RB_OK, sconn);
 401 }
 402
 403 static void
 404 rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
 405 {
 406         struct ssl_connect *sconn = data;
 407         if(status != RB_OK)
 408         {
 409                 rb_ssl_connect_realcb(F, status, sconn);
 410                 return;
 411         }
 412
 413         F->type |= RB_FD_SSL;
 414
 415
 416         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 417         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 418         gnutls_init(F->ssl, GNUTLS_CLIENT);
 419         gnutls_set_default_priority(SSL_P(F));
 420         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 421         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 422
 423         if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
 424         {
 425                 rb_ssl_connect_realcb(F, RB_OK, sconn);
 426         }
 427 }
 428
 429 void
 430 rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
 431                    struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
 432 {
 433         struct ssl_connect *sconn;
 434         if(F == NULL)
 435                 return;
 436
 437         sconn = rb_malloc(sizeof(struct ssl_connect));
 438         sconn->data = data;
 439         sconn->callback = callback;
 440         sconn->timeout = timeout;
 441         rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
 442
 443 }
 444
 445 void
 446 rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
 447 {
 448         struct ssl_connect *sconn;
 449         if(F == NULL)
 450                 return;
 451
 452         sconn = rb_malloc(sizeof(struct ssl_connect));
 453         sconn->data = data;
 454         sconn->callback = callback;
 455         sconn->timeout = timeout;
 456         F->connect = rb_malloc(sizeof(struct conndata));
 457         F->connect->callback = callback;
 458         F->connect->data = data;
 459         F->type |= RB_FD_SSL;
 460         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 461
 462         gnutls_init(F->ssl, GNUTLS_CLIENT);
 463         gnutls_set_default_priority(SSL_P(F));
 464         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 465         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 466
 467         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 468
 469         if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
 470         {
 471                 rb_ssl_connect_realcb(F, RB_OK, sconn);
 472         }
 473 }
 474
 475 int
 476 rb_init_prng(const char *path, prng_seed_t seed_type)
 477 {
 478         gcry_fast_random_poll();
 479         return 1;
 480 }
 481
 482 int
 483 rb_get_random(void *buf, size_t length)
 484 {
 485         gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
 486         return 1;
 487 }
 488
 489 int
 490 rb_get_pseudo_random(void *buf, size_t length)
 491 {
 492         gcry_randomize(buf, length, GCRY_WEAK_RANDOM);
 493         return 1;
 494 }
 495
 496 const char *
 497 rb_get_ssl_strerror(rb_fde_t *F)
 498 {
 499         return gnutls_strerror(F->ssl_errno);
 500 }
 501
 502 int
 503 rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
 504 {
 505         gnutls_x509_crt_t cert;
 506         unsigned int cert_list_size;
 507         const gnutls_datum_t *cert_list;
 508         uint8_t digest[RB_SSL_CERTFP_LEN * 2];
 509         size_t digest_size;
 510
 511         if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
 512                 return 0;
 513
 514         if (gnutls_x509_crt_init(&cert) < 0)
 515                 return 0;
 516
 517         cert_list_size = 0;
 518         cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
 519         if (cert_list == NULL)
 520         {
 521                 gnutls_x509_crt_deinit(cert);
 522                 return 0;
 523         }
 524
 525         if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
 526         {
 527                 gnutls_x509_crt_deinit(cert);
 528                 return 0;
 529         }
 530
 531         if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0)
 532         {
 533                 gnutls_x509_crt_deinit(cert);
 534                 return 0;
 535         }
 536
 537         memcpy(certfp, digest, RB_SSL_CERTFP_LEN);
 538
 539         gnutls_x509_crt_deinit(cert);
 540         return 1;
 541 }
 542
 543 int
 544 rb_supports_ssl(void)
 545 {
 546         return 1;
 547 }
 548
 549 void
 550 rb_get_ssl_info(char *buf, size_t len)
 551 {
 552         rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
 553                     LIBGNUTLS_VERSION, gnutls_check_version(NULL));
 554 }
 555
 556
 557 #endif /* HAVE_GNUTLS */