libratbox/src/gnutls.c

   1 /*
   2  *  libratbox: a library used by ircd-ratbox and other things
   3  *  gnutls.c: gnutls related code
   4  *
   5  *  Copyright (C) 2007-2008 ircd-ratbox development team
   6  *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License
  19  *  along with this program; if not, write to the Free Software
  20  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
  21  *  USA
  22  *
  23  */
  24
  25 #include <libratbox_config.h>
  26 #include <ratbox_lib.h>
  27 #include <commio-int.h>
  28 #include <commio-ssl.h>
  29 #ifdef HAVE_GNUTLS
  30
  31 #include <gnutls/gnutls.h>
  32 #include <gnutls/x509.h>
  33 #include <gcrypt.h>
  34
  35 static gnutls_certificate_credentials x509;
  36 static gnutls_dh_params dh_params;
  37
  38
  39
  40 #define SSL_P(x) *((gnutls_session_t *)F->ssl)
  41
  42 void
  43 rb_ssl_shutdown(rb_fde_t *F)
  44 {
  45         int i;
  46         if(F == NULL || F->ssl == NULL)
  47                 return;
  48         for(i = 0; i < 4; i++)
  49         {
  50                 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
  51                         break;
  52         }
  53         gnutls_deinit(SSL_P(F));
  54         rb_free(F->ssl);
  55 }
  56
  57 unsigned int
  58 rb_ssl_handshake_count(rb_fde_t *F)
  59 {
  60         return F->handshake_count;
  61 }
  62
  63 void
  64 rb_ssl_clear_handshake_count(rb_fde_t *F)
  65 {
  66         F->handshake_count = 0;
  67 }
  68
  69 static void
  70 rb_ssl_timeout(rb_fde_t *F, void *notused)
  71 {
  72         lrb_assert(F->accept != NULL);
  73         F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
  74 }
  75
  76
  77 static int
  78 do_ssl_handshake(rb_fde_t *F, PF * callback)
  79 {
  80         int ret;
  81         int flags;
  82
  83         ret = gnutls_handshake(SSL_P(F));
  84         if(ret < 0)
  85         {
  86                 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
  87                 {
  88                         if(gnutls_record_get_direction(SSL_P(F)) == 0)
  89                                 flags = RB_SELECT_READ;
  90                         else
  91                                 flags = RB_SELECT_WRITE;
  92                         rb_setselect(F, flags, callback, NULL);
  93                         return 0;
  94                 }
  95                 F->ssl_errno = ret;
  96                 return -1;
  97         }
  98         return 1;               /* handshake is finished..go about life */
  99 }
 100
 101 static void
 102 rb_ssl_tryaccept(rb_fde_t *F, void *data)
 103 {
 104         int ret;
 105         struct acceptdata *ad;
 106
 107         lrb_assert(F->accept != NULL);
 108
 109         ret = do_ssl_handshake(F, rb_ssl_tryaccept);
 110
 111         /* do_ssl_handshake does the rb_setselect */
 112         if(ret == 0)
 113                 return;
 114
 115         ad = F->accept;
 116         F->accept = NULL;
 117         rb_settimeout(F, 0, NULL, NULL);
 118         rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
 119
 120         if(ret > 0)
 121                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 122         else
 123                 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
 124
 125         rb_free(ad);
 126 }
 127
 128 void
 129 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
 130 {
 131         gnutls_session_t *ssl;
 132         new_F->type |= RB_FD_SSL;
 133         ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 134         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 135
 136         new_F->accept->callback = cb;
 137         new_F->accept->data = data;
 138         rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
 139
 140         new_F->accept->addrlen = 0;
 141
 142         gnutls_init(ssl, GNUTLS_SERVER);
 143         gnutls_set_default_priority(*ssl);
 144         gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
 145         gnutls_dh_set_prime_bits(*ssl, 1024);
 146         gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
 147         gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
 148         if(do_ssl_handshake(new_F, rb_ssl_tryaccept))
 149         {
 150                 struct acceptdata *ad = new_F->accept;
 151                 new_F->accept = NULL;
 152                 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 153                 rb_free(ad);
 154         }
 155
 156 }
 157
 158
 159
 160
 161 void
 162 rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
 163 {
 164         new_F->type |= RB_FD_SSL;
 165         new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 166         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 167
 168         new_F->accept->callback = F->accept->callback;
 169         new_F->accept->data = F->accept->data;
 170         rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
 171         memcpy(&new_F->accept->S, st, addrlen);
 172         new_F->accept->addrlen = addrlen;
 173
 174         gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
 175         gnutls_set_default_priority(SSL_P(new_F));
 176         gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
 177         gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
 178         gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
 179         gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
 180         if(do_ssl_handshake(F, rb_ssl_tryaccept))
 181         {
 182                 struct acceptdata *ad = F->accept;
 183                 F->accept = NULL;
 184                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 185                 rb_free(ad);
 186         }
 187 }
 188
 189
 190
 191
 192 static ssize_t
 193 rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
 194 {
 195         ssize_t ret;
 196         gnutls_session_t *ssl = F->ssl;
 197
 198         if(r_or_w == 0)
 199                 ret = gnutls_record_recv(*ssl, rbuf, count);
 200         else
 201                 ret = gnutls_record_send(*ssl, wbuf, count);
 202
 203         if(ret < 0)
 204         {
 205                 switch (ret)
 206                 {
 207                 case GNUTLS_E_AGAIN:
 208                 case GNUTLS_E_INTERRUPTED:
 209                         if(rb_ignore_errno(errno))
 210                         {
 211                                 if(gnutls_record_get_direction(*ssl) == 0)
 212                                         return RB_RW_SSL_NEED_READ;
 213                                 else
 214                                         return RB_RW_SSL_NEED_WRITE;
 215                                 break;
 216                         }
 217                 default:
 218                         F->ssl_errno = ret;
 219                         errno = EIO;
 220                         return RB_RW_IO_ERROR;
 221                 }
 222         }
 223         return ret;
 224 }
 225
 226 ssize_t
 227 rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
 228 {
 229         return rb_ssl_read_or_write(0, F, buf, NULL, count);
 230 }
 231
 232 ssize_t
 233 rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
 234 {
 235         return rb_ssl_read_or_write(1, F, NULL, buf, count);
 236 }
 237
 238 static void
 239 rb_gcry_random_seed(void *unused)
 240 {
 241         gcry_fast_random_poll();
 242 }
 243
 244 int
 245 rb_init_ssl(void)
 246 {
 247         gnutls_global_init();
 248
 249         if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
 250         {
 251                 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
 252                 return 0;
 253         }
 254         rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
 255         return 1;
 256 }
 257
 258 static void
 259 rb_free_datum_t(gnutls_datum_t * d)
 260 {
 261         rb_free(d->data);
 262         rb_free(d);
 263 }
 264
 265 static gnutls_datum_t *
 266 rb_load_file_into_datum_t(const char *file)
 267 {
 268         FILE *f;
 269         gnutls_datum_t *datum;
 270         struct stat fileinfo;
 271         if((f = fopen(file, "r")) == NULL)
 272                 return NULL;
 273         if(fstat(fileno(f), &fileinfo))
 274                 return NULL;
 275
 276         datum = rb_malloc(sizeof(gnutls_datum_t));
 277
 278         if(fileinfo.st_size > 131072)   /* deal with retards */
 279                 datum->size = 131072;
 280         else
 281                 datum->size = fileinfo.st_size;
 282
 283         datum->data = rb_malloc(datum->size + 1);
 284         fread(datum->data, datum->size, 1, f);
 285         fclose(f);
 286         return datum;
 287 }
 288
 289 int
 290 rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
 291 {
 292         int ret;
 293         gnutls_datum_t *d_cert, *d_key;
 294         if(cert == NULL)
 295         {
 296                 rb_lib_log("rb_setup_ssl_server: No certificate file");
 297                 return 0;
 298         }
 299
 300         if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
 301         {
 302                 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
 303                 return 0;
 304         }
 305
 306         if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
 307         {
 308                 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
 309                 return 0;
 310         }
 311
 312
 313         if((ret =
 314             gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
 315                                                 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
 316         {
 317                 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
 318                            gnutls_strerror(ret));
 319                 return 0;
 320         }
 321         rb_free_datum_t(d_cert);
 322         rb_free_datum_t(d_key);
 323
 324         if(dhfile != NULL)
 325         {
 326                 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
 327                 {
 328                         gnutls_datum_t *data;
 329                         int xret;
 330                         data = rb_load_file_into_datum_t(dhfile);
 331                         if(data != NULL)
 332                         {
 333                                 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
 334                                                                      GNUTLS_X509_FMT_PEM);
 335                                 if(xret < 0)
 336                                         rb_lib_log
 337                                                 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
 338                                                  gnutls_strerror(xret));
 339                                 rb_free_datum_t(data);
 340                         }
 341                         gnutls_certificate_set_dh_params(x509, dh_params);
 342                 }
 343                 else
 344                         rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
 345         }
 346         return 1;
 347 }
 348
 349 int
 350 rb_ssl_listen(rb_fde_t *F, int backlog)
 351 {
 352         F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
 353         return listen(F->fd, backlog);
 354 }
 355
 356 struct ssl_connect
 357 {
 358         CNCB *callback;
 359         void *data;
 360         int timeout;
 361 };
 362
 363 static void
 364 rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
 365 {
 366         F->connect->callback = sconn->callback;
 367         F->connect->data = sconn->data;
 368         rb_free(sconn);
 369         rb_connect_callback(F, status);
 370 }
 371
 372 static void
 373 rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
 374 {
 375         rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
 376 }
 377
 378 static void
 379 rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
 380 {
 381         struct ssl_connect *sconn = data;
 382         int ret;
 383
 384         ret = do_ssl_handshake(F, rb_ssl_tryconn_cb);
 385
 386         switch (ret)
 387         {
 388         case -1:
 389                 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
 390                 break;
 391         case 0:
 392                 /* do_ssl_handshake does the rb_setselect stuff */
 393                 return;
 394         default:
 395                 break;
 396
 397
 398         }
 399         rb_ssl_connect_realcb(F, RB_OK, sconn);
 400 }
 401
 402 static void
 403 rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
 404 {
 405         struct ssl_connect *sconn = data;
 406         if(status != RB_OK)
 407         {
 408                 rb_ssl_connect_realcb(F, status, sconn);
 409                 return;
 410         }
 411
 412         F->type |= RB_FD_SSL;
 413
 414
 415         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 416         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 417         gnutls_init(F->ssl, GNUTLS_CLIENT);
 418         gnutls_set_default_priority(SSL_P(F));
 419         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 420         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 421
 422         if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
 423         {
 424                 rb_ssl_connect_realcb(F, RB_OK, sconn);
 425         }
 426 }
 427
 428 void
 429 rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
 430                    struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
 431 {
 432         struct ssl_connect *sconn;
 433         if(F == NULL)
 434                 return;
 435
 436         sconn = rb_malloc(sizeof(struct ssl_connect));
 437         sconn->data = data;
 438         sconn->callback = callback;
 439         sconn->timeout = timeout;
 440         rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
 441
 442 }
 443
 444 void
 445 rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
 446 {
 447         struct ssl_connect *sconn;
 448         if(F == NULL)
 449                 return;
 450
 451         sconn = rb_malloc(sizeof(struct ssl_connect));
 452         sconn->data = data;
 453         sconn->callback = callback;
 454         sconn->timeout = timeout;
 455         F->connect = rb_malloc(sizeof(struct conndata));
 456         F->connect->callback = callback;
 457         F->connect->data = data;
 458         F->type |= RB_FD_SSL;
 459         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 460
 461         gnutls_init(F->ssl, GNUTLS_CLIENT);
 462         gnutls_set_default_priority(SSL_P(F));
 463         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 464         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 465
 466         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 467
 468         if(do_ssl_handshake(F, rb_ssl_tryconn_cb))
 469         {
 470                 rb_ssl_connect_realcb(F, RB_OK, sconn);
 471         }
 472 }
 473
 474 int
 475 rb_init_prng(const char *path, prng_seed_t seed_type)
 476 {
 477         gcry_fast_random_poll();
 478         return 1;
 479 }
 480
 481 int
 482 rb_get_random(void *buf, size_t length)
 483 {
 484         gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
 485         return 1;
 486 }
 487
 488 int
 489 rb_get_pseudo_random(void *buf, size_t length)
 490 {
 491         gcry_randomize(buf, length, GCRY_WEAK_RANDOM);
 492         return 1;
 493 }
 494
 495 const char *
 496 rb_get_ssl_strerror(rb_fde_t *F)
 497 {
 498         return gnutls_strerror(F->ssl_errno);
 499 }
 500
 501 int
 502 rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
 503 {
 504         gnutls_x509_crt_t cert;
 505         unsigned int cert_list_size;
 506         const gnutls_datum_t *cert_list;
 507         uint8_t digest[RB_SSL_CERTFP_LEN * 2];
 508         size_t digest_size;
 509
 510         if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
 511                 return 0;
 512
 513         if (gnutls_x509_crt_init(&cert) < 0)
 514                 return 0;
 515
 516         cert_list_size = 0;
 517         cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
 518         if (cert_list == NULL)
 519         {
 520                 gnutls_x509_crt_deinit(cert);
 521                 return 0;
 522         }
 523
 524         if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
 525         {
 526                 gnutls_x509_crt_deinit(cert);
 527                 return 0;
 528         }
 529
 530         if (gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, digest, &digest_size) < 0)
 531         {
 532                 gnutls_x509_crt_deinit(cert);
 533                 return 0;
 534         }
 535
 536         memcpy(certfp, digest, RB_SSL_CERTFP_LEN);
 537
 538         gnutls_x509_crt_deinit(cert);
 539         return 1;
 540 }
 541
 542 int
 543 rb_supports_ssl(void)
 544 {
 545         return 1;
 546 }
 547
 548 void
 549 rb_get_ssl_info(char *buf, size_t len)
 550 {
 551         rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
 552                     LIBGNUTLS_VERSION, gnutls_check_version(NULL));
 553 }
 554
 555
 556 #endif /* HAVE_GNUTLS */