]> jfr.im git - solanum.git/blame - librb/src/gnutls.c
projects / solanum.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[mbedtls] Various fixes and improvements
[solanum.git] / librb / src / gnutls.c
CommitLineData
2bd29df9 1/*
fe037171 2 * librb: a library used by charybdis and other things
2bd29df9
AB		 3 * gnutls.c: gnutls related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
55abcbb2 17 *
2bd29df9
AB		 18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
2bd29df9
AB		 23 */
24
fe037171
EM		 25#include <librb_config.h>
26#include <rb_lib.h>
2bd29df9
AB		 27#include <commio-int.h>
28#include <commio-ssl.h>
cf430c1a 29#include <stdbool.h>
2bd29df9
AB		 30#ifdef HAVE_GNUTLS
31
32#include <gnutls/gnutls.h>
33#include <gnutls/x509.h>
cf430c1a 34#include <gnutls/abstract.h>
7aa40f6d 35
c56f5979 36#if (GNUTLS_VERSION_MAJOR < 3)
7aa40f6d 37# include <gcrypt.h>
c56f5979
VI		 38#else
39# include <gnutls/crypto.h>
7aa40f6d 40#endif
2bd29df9 41
c56f5979
VI		 42static gnutls_certificate_credentials_t x509;
43static gnutls_dh_params_t dh_params;
673ec98e 44static gnutls_priority_t default_priority;
2bd29df9
AB		 45
46/* These are all used for getting GnuTLS to supply a client cert. */
47#define MAX_CERTS 6
48static unsigned int x509_cert_count;
49static gnutls_x509_crt_t x509_cert[MAX_CERTS];
50static gnutls_x509_privkey_t x509_key;
f7036bbe 51#if GNUTLS_VERSION_MAJOR < 3
2bd29df9
AB		 52static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
53 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st);
f7036bbe
AC		 54#else
55static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
56 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st);
57#endif
2bd29df9
AB		 58
59#define SSL_P(x) *((gnutls_session_t *)F->ssl)
60
61void
62rb_ssl_shutdown(rb_fde_t *F)
63{
64 int i;
65 if(F == NULL || F->ssl == NULL)
66 return;
67 for(i = 0; i < 4; i++)
68 {
69 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
70 break;
71 }
72 gnutls_deinit(SSL_P(F));
73 rb_free(F->ssl);
74}
75
76unsigned int
77rb_ssl_handshake_count(rb_fde_t *F)
78{
79 return F->handshake_count;
80}
81
82void
83rb_ssl_clear_handshake_count(rb_fde_t *F)
84{
85 F->handshake_count = 0;
86}
87
88static void
89rb_ssl_timeout(rb_fde_t *F, void *notused)
90{
91 lrb_assert(F->accept != NULL);
92 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
93}
94
95
96static int
97do_ssl_handshake(rb_fde_t *F, PF * callback, void *data)
98{
99 int ret;
100 int flags;
101
102 ret = gnutls_handshake(SSL_P(F));
103 if(ret < 0)
104 {
105 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
106 {
107 if(gnutls_record_get_direction(SSL_P(F)) == 0)
108 flags = RB_SELECT_READ;
109 else
110 flags = RB_SELECT_WRITE;
111 rb_setselect(F, flags, callback, data);
112 return 0;
113 }
114 F->ssl_errno = ret;
115 return -1;
116 }
117 return 1; /* handshake is finished..go about life */
118}
119
120static void
121rb_ssl_tryaccept(rb_fde_t *F, void *data)
122{
123 int ret;
124 struct acceptdata *ad;
125
126 lrb_assert(F->accept != NULL);
127
128 ret = do_ssl_handshake(F, rb_ssl_tryaccept, NULL);
129
130 /* do_ssl_handshake does the rb_setselect */
131 if(ret == 0)
132 return;
133
134 ad = F->accept;
135 F->accept = NULL;
136 rb_settimeout(F, 0, NULL, NULL);
137 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
55abcbb2 138
2bd29df9
AB		 139 if(ret > 0)
140 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
141 else
142 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
143
144 rb_free(ad);
145}
146
147void
148rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
149{
150 gnutls_session_t *ssl;
151 new_F->type |= RB_FD_SSL;
152 ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
153 new_F->accept = rb_malloc(sizeof(struct acceptdata));
154
155 new_F->accept->callback = cb;
156 new_F->accept->data = data;
157 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
158
159 new_F->accept->addrlen = 0;
160
161 gnutls_init(ssl, GNUTLS_SERVER);
162 gnutls_set_default_priority(*ssl);
163 gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
164 gnutls_dh_set_prime_bits(*ssl, 1024);
165 gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
166 gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
c56f5979 167 gnutls_priority_set(*ssl, default_priority);
673ec98e 168
2bd29df9
AB		 169 if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL))
170 {
171 struct acceptdata *ad = new_F->accept;
172 new_F->accept = NULL;
173 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
174 rb_free(ad);
175 }
176
177}
178
179
180
181
182void
183rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
184{
185 new_F->type |= RB_FD_SSL;
186 new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
187 new_F->accept = rb_malloc(sizeof(struct acceptdata));
188
189 new_F->accept->callback = F->accept->callback;
190 new_F->accept->data = F->accept->data;
191 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
192 memcpy(&new_F->accept->S, st, addrlen);
193 new_F->accept->addrlen = addrlen;
194
195 gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
196 gnutls_set_default_priority(SSL_P(new_F));
197 gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
198 gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
199 gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
200 gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
673ec98e
AC		 201 gnutls_priority_set(SSL_P(F), default_priority);
202
2bd29df9
AB		 203 if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL))
204 {
205 struct acceptdata *ad = F->accept;
206 F->accept = NULL;
207 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
208 rb_free(ad);
209 }
210}
211
212
213
214
215static ssize_t
216rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
217{
218 ssize_t ret;
219 gnutls_session_t *ssl = F->ssl;
220
221 if(r_or_w == 0)
222 ret = gnutls_record_recv(*ssl, rbuf, count);
223 else
224 ret = gnutls_record_send(*ssl, wbuf, count);
225
226 if(ret < 0)
227 {
228 switch (ret)
229 {
230 case GNUTLS_E_AGAIN:
231 case GNUTLS_E_INTERRUPTED:
232 if(rb_ignore_errno(errno))
233 {
234 if(gnutls_record_get_direction(*ssl) == 0)
235 return RB_RW_SSL_NEED_READ;
236 else
237 return RB_RW_SSL_NEED_WRITE;
238 break;
239 }
240 default:
241 F->ssl_errno = ret;
242 errno = EIO;
243 return RB_RW_IO_ERROR;
244 }
245 }
246 return ret;
247}
248
249ssize_t
250rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
251{
252 return rb_ssl_read_or_write(0, F, buf, NULL, count);
253}
254
255ssize_t
256rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
257{
258 return rb_ssl_read_or_write(1, F, NULL, buf, count);
259}
260
c56f5979 261#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9
AB		 262static void
263rb_gcry_random_seed(void *unused)
264{
265 gcry_fast_random_poll();
266}
c56f5979 267#endif
2bd29df9
AB		 268
269int
270rb_init_ssl(void)
271{
272 gnutls_global_init();
273
274 if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
275 {
276 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
277 return 0;
278 }
279
f7036bbe 280#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 281 gnutls_certificate_client_set_retrieve_function(x509, cert_callback);
f7036bbe
AC		 282#else
283 gnutls_certificate_set_retrieve_function(x509, cert_callback);
284#endif
2bd29df9 285
c56f5979 286#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9 287 rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
c56f5979
VI		 288#endif
289
2bd29df9
AB		 290 return 1;
291}
292
293/* We only have one certificate to authenticate with, as both client and server. Unfortunately,
294 * GnuTLS tries to be clever, and as client, will attempt to use a certificate that the server
295 * will trust. We usually use self-signed certs, though, so the result of this search is always
296 * nothing. Therefore, it uses no certificate to authenticate as a client. This is undesirable
297 * as it breaks fingerprint auth. Thus, we use this callback to force GnuTLS to always
298 * authenticate with our certificate at all times.
299 */
f7036bbe 300#if GNUTLS_VERSION_MAJOR < 3
2bd29df9
AB		 301static int
302cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
303 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st)
f7036bbe
AC		 304#else
305static int
306cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
307 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st)
308#endif
2bd29df9
AB		 309{
310 /* XXX - ugly hack. Tell GnuTLS to use the first (only) certificate we have for auth. */
c56f5979 311#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9 312 st->type = GNUTLS_CRT_X509;
c56f5979
VI		 313#else
314 st->cert_type = GNUTLS_CRT_X509;
315 st->key_type = GNUTLS_PRIVKEY_X509;
316#endif
2bd29df9
AB		 317 st->ncerts = x509_cert_count;
318 st->cert.x509 = x509_cert;
319 st->key.x509 = x509_key;
c56f5979 320 st->deinit_all = 0;
2bd29df9
AB		 321
322 return 0;
323}
324
325static void
326rb_free_datum_t(gnutls_datum_t * d)
327{
328 rb_free(d->data);
329 rb_free(d);
330}
331
332static gnutls_datum_t *
333rb_load_file_into_datum_t(const char *file)
334{
335 FILE *f;
336 gnutls_datum_t *datum;
337 struct stat fileinfo;
31646e89 338 int count;
2bd29df9
AB		 339 if((f = fopen(file, "r")) == NULL)
340 return NULL;
341 if(fstat(fileno(f), &fileinfo))
342 return NULL;
343
344 datum = rb_malloc(sizeof(gnutls_datum_t));
345
346 if(fileinfo.st_size > 131072) /* deal with retards */
347 datum->size = 131072;
348 else
349 datum->size = fileinfo.st_size;
350
351 datum->data = rb_malloc(datum->size + 1);
31646e89 352 count = fread(datum->data, datum->size, 1, f);
2bd29df9 353 fclose(f);
31646e89
SA		 354
355 if(count != 1)
356 {
357 rb_free_datum_t(datum);
358 return NULL;
359 }
2bd29df9
AB		 360 return datum;
361}
362
363int
0fe9dd41 364rb_setup_ssl_server(const char *certfile, const char *keyfile, const char *dhfile, const char *cipher_list)
2bd29df9
AB		 365{
366 int ret;
673ec98e 367 const char *err;
2bd29df9 368 gnutls_datum_t *d_cert, *d_key;
0fe9dd41
AJ		 369
370 if(certfile == NULL)
2bd29df9
AB		 371 {
372 rb_lib_log("rb_setup_ssl_server: No certificate file");
373 return 0;
374 }
375
0fe9dd41
AJ		 376 if(keyfile == NULL)
377 keyfile = certfile;
378
379 if((d_cert = rb_load_file_into_datum_t(certfile)) == NULL)
2bd29df9
AB		 380 {
381 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
382 return 0;
383 }
384
385 if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
386 {
387 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
388 return 0;
389 }
390
391 /* In addition to creating the certificate set, we also need to store our cert elsewhere
392 * so we can force GnuTLS to identify with it when acting as a client.
393 */
394 gnutls_x509_privkey_init(&x509_key);
395 if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
396 {
397 rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret));
398 return 0;
399 }
400
401 x509_cert_count = MAX_CERTS;
402 if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
403 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0)
404 {
405 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret));
406 return 0;
407 }
408 x509_cert_count = ret;
409
410 if((ret =
411 gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
412 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
413 {
414 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
415 gnutls_strerror(ret));
416 return 0;
417 }
418
419 rb_free_datum_t(d_cert);
420 rb_free_datum_t(d_key);
421
422 if(dhfile != NULL)
423 {
424 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
425 {
426 gnutls_datum_t *data;
427 int xret;
428 data = rb_load_file_into_datum_t(dhfile);
429 if(data != NULL)
430 {
431 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
432 GNUTLS_X509_FMT_PEM);
433 if(xret < 0)
434 rb_lib_log
435 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
436 gnutls_strerror(xret));
437 rb_free_datum_t(data);
438 }
439 gnutls_certificate_set_dh_params(x509, dh_params);
440 }
441 else
442 rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
443 }
c1725bda 444
7233e364 445 ret = gnutls_priority_init(&default_priority, cipher_list, &err);
673ec98e
AC		 446 if (ret < 0)
447 {
448 rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err);
449 gnutls_priority_init(&default_priority, NULL, &err);
450 return 1;
451 }
452
2bd29df9
AB		 453 return 1;
454}
455
456int
457rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
458{
459 int result;
460
fab6f9e8 461 result = rb_listen(F, backlog, defer_accept);
2bd29df9
AB		 462 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
463
464 return result;
465}
466
467struct ssl_connect
468{
469 CNCB *callback;
470 void *data;
471 int timeout;
472};
473
474static void
475rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
476{
477 F->connect->callback = sconn->callback;
478 F->connect->data = sconn->data;
479 rb_free(sconn);
480 rb_connect_callback(F, status);
481}
482
483static void
484rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
485{
486 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
487}
488
489static void
490rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
491{
492 struct ssl_connect *sconn = data;
493 int ret;
494
495 ret = do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
496
497 switch (ret)
498 {
499 case -1:
500 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
501 break;
502 case 0:
503 /* do_ssl_handshake does the rb_setselect stuff */
504 return;
505 default:
506 break;
507
508
509 }
510 rb_ssl_connect_realcb(F, RB_OK, sconn);
511}
512
513static void
514rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
515{
516 struct ssl_connect *sconn = data;
517 if(status != RB_OK)
518 {
519 rb_ssl_connect_realcb(F, status, sconn);
520 return;
521 }
522
523 F->type |= RB_FD_SSL;
524
525
526 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
527 F->ssl = rb_malloc(sizeof(gnutls_session_t));
528 gnutls_init(F->ssl, GNUTLS_CLIENT);
529 gnutls_set_default_priority(SSL_P(F));
530 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
531 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
532 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
673ec98e 533 gnutls_priority_set(SSL_P(F), default_priority);
2bd29df9
AB		 534
535 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
536}
537
538void
539rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
5ad62c80 540 struct sockaddr *clocal, CNCB * callback, void *data, int timeout)
2bd29df9
AB		 541{
542 struct ssl_connect *sconn;
543 if(F == NULL)
544 return;
545
546 sconn = rb_malloc(sizeof(struct ssl_connect));
547 sconn->data = data;
548 sconn->callback = callback;
549 sconn->timeout = timeout;
5ad62c80 550 rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout);
2bd29df9
AB		 551
552}
553
554void
555rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
556{
557 struct ssl_connect *sconn;
558 if(F == NULL)
559 return;
560
561 sconn = rb_malloc(sizeof(struct ssl_connect));
562 sconn->data = data;
563 sconn->callback = callback;
564 sconn->timeout = timeout;
565 F->connect = rb_malloc(sizeof(struct conndata));
566 F->connect->callback = callback;
567 F->connect->data = data;
568 F->type |= RB_FD_SSL;
569 F->ssl = rb_malloc(sizeof(gnutls_session_t));
570
571 gnutls_init(F->ssl, GNUTLS_CLIENT);
572 gnutls_set_default_priority(SSL_P(F));
573 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
574 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
575 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
673ec98e 576 gnutls_priority_set(SSL_P(F), default_priority);
2bd29df9
AB		 577
578 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
579
580 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
581}
582
583int
584rb_init_prng(const char *path, prng_seed_t seed_type)
585{
7aa40f6d 586#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 587 gcry_fast_random_poll();
7aa40f6d 588#endif
2bd29df9
AB		 589 return 1;
590}
591
592int
593rb_get_random(void *buf, size_t length)
594{
7aa40f6d 595#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 596 gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
7aa40f6d
AC		 597#else
598 gnutls_rnd(GNUTLS_RND_KEY, buf, length);
599#endif
2bd29df9
AB		 600 return 1;
601}
602
2bd29df9
AB		 603const char *
604rb_get_ssl_strerror(rb_fde_t *F)
605{
606 return gnutls_strerror(F->ssl_errno);
607}
608
e3760ba7 609static int
03469187 610make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
2bd29df9 611{
e6bbb410 612 gnutls_digest_algorithm_t algo;
2bd29df9
AB		 613 uint8_t digest[RB_SSL_CERTFP_LEN * 2];
614 size_t digest_size;
cf430c1a 615 bool spki = false;
e3760ba7 616 int len;
2bd29df9 617
e6bbb410
EM		 618 switch(method)
619 {
cf430c1a 620 case RB_SSL_CERTFP_METH_CERT_SHA1:
e6bbb410
EM		 621 algo = GNUTLS_DIG_SHA1;
622 len = RB_SSL_CERTFP_LEN_SHA1;
623 break;
cf430c1a
SA		 624 case RB_SSL_CERTFP_METH_SPKI_SHA256:
625 spki = true;
626 case RB_SSL_CERTFP_METH_CERT_SHA256:
e6bbb410
EM		 627 algo = GNUTLS_DIG_SHA256;
628 len = RB_SSL_CERTFP_LEN_SHA256;
629 break;
cf430c1a
SA		 630 case RB_SSL_CERTFP_METH_SPKI_SHA512:
631 spki = true;
632 case RB_SSL_CERTFP_METH_CERT_SHA512:
e6bbb410
EM		 633 algo = GNUTLS_DIG_SHA512;
634 len = RB_SSL_CERTFP_LEN_SHA512;
635 break;
636 default:
637 return 0;
638 }
639
cf430c1a 640 if (!spki)
2bd29df9 641 {
cf430c1a
SA		 642 if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
643 len = 0;
644 }
645 else
646 {
647 gnutls_pubkey_t pubkey;
648 unsigned char *der_pubkey = NULL;
649 size_t der_pubkey_len = 0;
650
651 if (gnutls_pubkey_init(&pubkey) == GNUTLS_E_SUCCESS)
652 {
653 if (gnutls_pubkey_import_x509(pubkey, cert, 0) == GNUTLS_E_SUCCESS)
654 {
655 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) == GNUTLS_E_SHORT_MEMORY_BUFFER)
656 {
657 der_pubkey = rb_malloc(der_pubkey_len);
658
659 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) != GNUTLS_E_SUCCESS)
660 {
661 rb_free(der_pubkey);
662 der_pubkey = NULL;
663 }
664 }
665 }
666
667 gnutls_pubkey_deinit(pubkey);
668 }
669
670 if (der_pubkey)
671 {
672 if (gnutls_hash_fast(algo, der_pubkey, der_pubkey_len, digest) != 0)
673 len = 0;
674
675 rb_free(der_pubkey);
676 }
677 else
678 {
679 len = 0;
680 }
2bd29df9
AB		 681 }
682
cf430c1a
SA		 683 if (len)
684 memcpy(certfp, digest, len);
03469187
SA		 685 return len;
686}
687
688int
689rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
690{
691 gnutls_x509_crt_t cert;
692 unsigned int cert_list_size;
693 const gnutls_datum_t *cert_list;
694 int len;
695
696 if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
697 return 0;
698
699 if (gnutls_x509_crt_init(&cert) < 0)
700 return 0;
701
702 cert_list_size = 0;
703 cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
704 if (cert_list == NULL)
705 {
706 gnutls_x509_crt_deinit(cert);
707 return 0;
708 }
709
710 if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
711 {
712 gnutls_x509_crt_deinit(cert);
713 return 0;
714 }
715
716 len = make_certfp(cert, certfp, method);
717 gnutls_x509_crt_deinit(cert);
718 return len;
719}
720
721int
722rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
723{
724 gnutls_x509_crt_t cert;
725 gnutls_datum_t *d_cert;
726 unsigned int len;
727
728 if ((d_cert = rb_load_file_into_datum_t(filename)) == NULL)
729 return -1;
730
731 if (gnutls_x509_crt_init(&cert) < 0)
732 return -1;
733
734 if (gnutls_x509_crt_import(cert, d_cert, GNUTLS_X509_FMT_PEM) != 0)
735 return -1;
2bd29df9 736
03469187 737 len = make_certfp(cert, certfp, method);
2bd29df9 738 gnutls_x509_crt_deinit(cert);
e6bbb410 739 return len;
2bd29df9
AB		 740}
741
742int
743rb_supports_ssl(void)
744{
745 return 1;
746}
747
748void
749rb_get_ssl_info(char *buf, size_t len)
750{
c40eede1 751 snprintf(buf, len, "GNUTLS: compiled (%s), library (%s)",
2bd29df9
AB		 752 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
753}
55abcbb2 754
833b2f9c
AC		 755const char *
756rb_ssl_get_cipher(rb_fde_t *F)
757{
758 static char buf[1024];
759
5203cba5 760 snprintf(buf, sizeof(buf), "%s-%s-%s-%s",
833b2f9c
AC		 761 gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))),
762 gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))),
763 gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))),
764 gnutls_mac_get_name(gnutls_mac_get(SSL_P(F))));
765
766 return buf;
767}
55abcbb2 768
2bd29df9 769#endif /* HAVE_GNUTLS */
Fork of solanum ircd, history is rebased regularly