#define RB_SELECT_ACCEPT RB_SELECT_READ
#define RB_SELECT_CONNECT RB_SELECT_WRITE
+#define RB_SSL_CERTFP_LEN 20
+
int rb_set_nb(rb_fde_t *);
int rb_set_buffers(rb_fde_t *, int);
int rb_fd_ssl(rb_fde_t *F);
int rb_get_fd(rb_fde_t *F);
const char *rb_get_ssl_strerror(rb_fde_t *F);
+int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]);
rb_fde_t *rb_get_fde(int fd);
return gnutls_strerror(F->ssl_errno);
}
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+{
+ /* XXX implement this for gnutls */
+ return 0;
+}
+
int
rb_supports_ssl(void)
{
return nosupport;
}
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+{
+ return 0;
+}
+
void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
return rb_ssl_read_or_write(1, F, NULL, buf, count);
}
+static int
+verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ return 1;
+}
+
int
rb_init_ssl(void)
{
}
/* Disable SSLv2, make the client use our settings */
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
+ SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
return ERR_error_string(F->ssl_errno, NULL);
}
+int
+rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
+{
+ X509 *cert;
+ int res;
+
+ if (F->ssl == NULL)
+ return 0;
+
+ cert = SSL_get_peer_certificate((SSL *) F->ssl);
+ if(cert != NULL)
+ {
+ res = SSL_get_verify_result((SSL *) F->ssl);
+ if(res == X509_V_OK ||
+ res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+ res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+ res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ {
+ memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
int
rb_supports_ssl(void)
{
exit_client(client_p, client_p, &me, reason);
}
+static void
+ssl_process_certfp(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
+{
+ struct Client *client_p;
+ int32_t fd;
+ uint8_t *certfp;
+ char certfp_string[RB_SSL_CERTFP_LEN * 2 + 1];
+ int i;
+
+ if(ctl_buf->buflen != 5 + RB_SSL_CERTFP_LEN)
+ return; /* bogus message..drop it.. XXX should warn here */
+
+ fd = buf_to_int32(&ctl_buf->buf[1]);
+ certfp = (uint8_t *)&ctl_buf->buf[5];
+ client_p = find_cli_fd_hash(fd);
+ if(client_p == NULL)
+ return;
+ for(i = 0; i < RB_SSL_CERTFP_LEN; i++)
+ rb_snprintf(certfp_string + 2 * i, 3, "%02x",
+ certfp[i]);
+ sendto_one_notice(client_p, ":*** CertFP is %s", certfp_string);
+}
+
static void
ssl_process_cmd_recv(ssl_ctl_t * ctl)
{
case 'D':
ssl_process_dead_fd(ctl, ctl_buf);
break;
+ case 'F':
+ ssl_process_certfp(ctl, ctl_buf);
+ break;
case 'S':
ssl_process_zipstats(ctl, ctl_buf);
break;
ssl_process_accept_cb(rb_fde_t *F, int status, struct sockaddr *addr, rb_socklen_t len, void *data)
{
conn_t *conn = data;
+ char buf[5 + RB_SSL_CERTFP_LEN];
+
if(status == RB_OK)
{
+ if(rb_get_ssl_certfp(F, &buf[5]))
+ {
+ buf[0] = 'F';
+ int32_to_buf(&buf[1], conn->id);
+ mod_cmd_write_queue(conn->ctl, buf, sizeof buf);
+ }
conn_mod_read_cb(conn->mod_fd, conn);
conn_plain_read_cb(conn->plain_fd, conn);
return;