]>
Commit | Line | Data |
---|---|---|
2bd29df9 | 1 | /* |
fe037171 | 2 | * librb: a library used by charybdis and other things |
2bd29df9 AB |
3 | * gnutls.c: gnutls related code |
4 | * | |
5 | * Copyright (C) 2007-2008 ircd-ratbox development team | |
6 | * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
55abcbb2 | 17 | * |
2bd29df9 AB |
18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
21 | * USA | |
22 | * | |
23 | * $Id: gnutls.c 26296 2008-12-13 03:36:00Z androsyn $ | |
24 | */ | |
25 | ||
fe037171 EM |
26 | #include <librb_config.h> |
27 | #include <rb_lib.h> | |
2bd29df9 AB |
28 | #include <commio-int.h> |
29 | #include <commio-ssl.h> | |
30 | #ifdef HAVE_GNUTLS | |
31 | ||
32 | #include <gnutls/gnutls.h> | |
33 | #include <gnutls/x509.h> | |
7aa40f6d | 34 | |
c56f5979 | 35 | #if (GNUTLS_VERSION_MAJOR < 3) |
7aa40f6d | 36 | # include <gcrypt.h> |
c56f5979 VI |
37 | #else |
38 | # include <gnutls/crypto.h> | |
7aa40f6d | 39 | #endif |
2bd29df9 | 40 | |
c56f5979 VI |
41 | static gnutls_certificate_credentials_t x509; |
42 | static gnutls_dh_params_t dh_params; | |
673ec98e | 43 | static gnutls_priority_t default_priority; |
2bd29df9 AB |
44 | |
45 | /* These are all used for getting GnuTLS to supply a client cert. */ | |
46 | #define MAX_CERTS 6 | |
47 | static unsigned int x509_cert_count; | |
48 | static gnutls_x509_crt_t x509_cert[MAX_CERTS]; | |
49 | static gnutls_x509_privkey_t x509_key; | |
f7036bbe | 50 | #if GNUTLS_VERSION_MAJOR < 3 |
2bd29df9 AB |
51 | static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs, |
52 | const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st); | |
f7036bbe AC |
53 | #else |
54 | static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs, | |
55 | const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st); | |
56 | #endif | |
2bd29df9 AB |
57 | |
58 | #define SSL_P(x) *((gnutls_session_t *)F->ssl) | |
59 | ||
60 | void | |
61 | rb_ssl_shutdown(rb_fde_t *F) | |
62 | { | |
63 | int i; | |
64 | if(F == NULL || F->ssl == NULL) | |
65 | return; | |
66 | for(i = 0; i < 4; i++) | |
67 | { | |
68 | if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS) | |
69 | break; | |
70 | } | |
71 | gnutls_deinit(SSL_P(F)); | |
72 | rb_free(F->ssl); | |
73 | } | |
74 | ||
75 | unsigned int | |
76 | rb_ssl_handshake_count(rb_fde_t *F) | |
77 | { | |
78 | return F->handshake_count; | |
79 | } | |
80 | ||
81 | void | |
82 | rb_ssl_clear_handshake_count(rb_fde_t *F) | |
83 | { | |
84 | F->handshake_count = 0; | |
85 | } | |
86 | ||
87 | static void | |
88 | rb_ssl_timeout(rb_fde_t *F, void *notused) | |
89 | { | |
90 | lrb_assert(F->accept != NULL); | |
91 | F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data); | |
92 | } | |
93 | ||
94 | ||
95 | static int | |
96 | do_ssl_handshake(rb_fde_t *F, PF * callback, void *data) | |
97 | { | |
98 | int ret; | |
99 | int flags; | |
100 | ||
101 | ret = gnutls_handshake(SSL_P(F)); | |
102 | if(ret < 0) | |
103 | { | |
104 | if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN) | |
105 | { | |
106 | if(gnutls_record_get_direction(SSL_P(F)) == 0) | |
107 | flags = RB_SELECT_READ; | |
108 | else | |
109 | flags = RB_SELECT_WRITE; | |
110 | rb_setselect(F, flags, callback, data); | |
111 | return 0; | |
112 | } | |
113 | F->ssl_errno = ret; | |
114 | return -1; | |
115 | } | |
116 | return 1; /* handshake is finished..go about life */ | |
117 | } | |
118 | ||
119 | static void | |
120 | rb_ssl_tryaccept(rb_fde_t *F, void *data) | |
121 | { | |
122 | int ret; | |
123 | struct acceptdata *ad; | |
124 | ||
125 | lrb_assert(F->accept != NULL); | |
126 | ||
127 | ret = do_ssl_handshake(F, rb_ssl_tryaccept, NULL); | |
128 | ||
129 | /* do_ssl_handshake does the rb_setselect */ | |
130 | if(ret == 0) | |
131 | return; | |
132 | ||
133 | ad = F->accept; | |
134 | F->accept = NULL; | |
135 | rb_settimeout(F, 0, NULL, NULL); | |
136 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL); | |
55abcbb2 | 137 | |
2bd29df9 AB |
138 | if(ret > 0) |
139 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); | |
140 | else | |
141 | ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data); | |
142 | ||
143 | rb_free(ad); | |
144 | } | |
145 | ||
146 | void | |
147 | rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) | |
148 | { | |
149 | gnutls_session_t *ssl; | |
150 | new_F->type |= RB_FD_SSL; | |
151 | ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); | |
152 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
153 | ||
154 | new_F->accept->callback = cb; | |
155 | new_F->accept->data = data; | |
156 | rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); | |
157 | ||
158 | new_F->accept->addrlen = 0; | |
159 | ||
160 | gnutls_init(ssl, GNUTLS_SERVER); | |
161 | gnutls_set_default_priority(*ssl); | |
162 | gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509); | |
163 | gnutls_dh_set_prime_bits(*ssl, 1024); | |
164 | gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd); | |
165 | gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST); | |
c56f5979 | 166 | gnutls_priority_set(*ssl, default_priority); |
673ec98e | 167 | |
2bd29df9 AB |
168 | if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL)) |
169 | { | |
170 | struct acceptdata *ad = new_F->accept; | |
171 | new_F->accept = NULL; | |
172 | ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); | |
173 | rb_free(ad); | |
174 | } | |
175 | ||
176 | } | |
177 | ||
178 | ||
179 | ||
180 | ||
181 | void | |
182 | rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) | |
183 | { | |
184 | new_F->type |= RB_FD_SSL; | |
185 | new_F->ssl = rb_malloc(sizeof(gnutls_session_t)); | |
186 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
187 | ||
188 | new_F->accept->callback = F->accept->callback; | |
189 | new_F->accept->data = F->accept->data; | |
190 | rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); | |
191 | memcpy(&new_F->accept->S, st, addrlen); | |
192 | new_F->accept->addrlen = addrlen; | |
193 | ||
194 | gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER); | |
195 | gnutls_set_default_priority(SSL_P(new_F)); | |
196 | gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509); | |
197 | gnutls_dh_set_prime_bits(SSL_P(new_F), 1024); | |
198 | gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F)); | |
199 | gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST); | |
673ec98e AC |
200 | gnutls_priority_set(SSL_P(F), default_priority); |
201 | ||
2bd29df9 AB |
202 | if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL)) |
203 | { | |
204 | struct acceptdata *ad = F->accept; | |
205 | F->accept = NULL; | |
206 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); | |
207 | rb_free(ad); | |
208 | } | |
209 | } | |
210 | ||
211 | ||
212 | ||
213 | ||
214 | static ssize_t | |
215 | rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count) | |
216 | { | |
217 | ssize_t ret; | |
218 | gnutls_session_t *ssl = F->ssl; | |
219 | ||
220 | if(r_or_w == 0) | |
221 | ret = gnutls_record_recv(*ssl, rbuf, count); | |
222 | else | |
223 | ret = gnutls_record_send(*ssl, wbuf, count); | |
224 | ||
225 | if(ret < 0) | |
226 | { | |
227 | switch (ret) | |
228 | { | |
229 | case GNUTLS_E_AGAIN: | |
230 | case GNUTLS_E_INTERRUPTED: | |
231 | if(rb_ignore_errno(errno)) | |
232 | { | |
233 | if(gnutls_record_get_direction(*ssl) == 0) | |
234 | return RB_RW_SSL_NEED_READ; | |
235 | else | |
236 | return RB_RW_SSL_NEED_WRITE; | |
237 | break; | |
238 | } | |
239 | default: | |
240 | F->ssl_errno = ret; | |
241 | errno = EIO; | |
242 | return RB_RW_IO_ERROR; | |
243 | } | |
244 | } | |
245 | return ret; | |
246 | } | |
247 | ||
248 | ssize_t | |
249 | rb_ssl_read(rb_fde_t *F, void *buf, size_t count) | |
250 | { | |
251 | return rb_ssl_read_or_write(0, F, buf, NULL, count); | |
252 | } | |
253 | ||
254 | ssize_t | |
255 | rb_ssl_write(rb_fde_t *F, const void *buf, size_t count) | |
256 | { | |
257 | return rb_ssl_read_or_write(1, F, NULL, buf, count); | |
258 | } | |
259 | ||
c56f5979 | 260 | #if (GNUTLS_VERSION_MAJOR < 3) |
2bd29df9 AB |
261 | static void |
262 | rb_gcry_random_seed(void *unused) | |
263 | { | |
264 | gcry_fast_random_poll(); | |
265 | } | |
c56f5979 | 266 | #endif |
2bd29df9 AB |
267 | |
268 | int | |
269 | rb_init_ssl(void) | |
270 | { | |
271 | gnutls_global_init(); | |
272 | ||
273 | if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS) | |
274 | { | |
275 | rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials"); | |
276 | return 0; | |
277 | } | |
278 | ||
f7036bbe | 279 | #if GNUTLS_VERSION_MAJOR < 3 |
2bd29df9 | 280 | gnutls_certificate_client_set_retrieve_function(x509, cert_callback); |
f7036bbe AC |
281 | #else |
282 | gnutls_certificate_set_retrieve_function(x509, cert_callback); | |
283 | #endif | |
2bd29df9 | 284 | |
c56f5979 | 285 | #if (GNUTLS_VERSION_MAJOR < 3) |
2bd29df9 | 286 | rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300); |
c56f5979 VI |
287 | #endif |
288 | ||
2bd29df9 AB |
289 | return 1; |
290 | } | |
291 | ||
292 | /* We only have one certificate to authenticate with, as both client and server. Unfortunately, | |
293 | * GnuTLS tries to be clever, and as client, will attempt to use a certificate that the server | |
294 | * will trust. We usually use self-signed certs, though, so the result of this search is always | |
295 | * nothing. Therefore, it uses no certificate to authenticate as a client. This is undesirable | |
296 | * as it breaks fingerprint auth. Thus, we use this callback to force GnuTLS to always | |
297 | * authenticate with our certificate at all times. | |
298 | */ | |
f7036bbe | 299 | #if GNUTLS_VERSION_MAJOR < 3 |
2bd29df9 AB |
300 | static int |
301 | cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs, | |
302 | const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st) | |
f7036bbe AC |
303 | #else |
304 | static int | |
305 | cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs, | |
306 | const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st) | |
307 | #endif | |
2bd29df9 AB |
308 | { |
309 | /* XXX - ugly hack. Tell GnuTLS to use the first (only) certificate we have for auth. */ | |
c56f5979 | 310 | #if (GNUTLS_VERSION_MAJOR < 3) |
2bd29df9 | 311 | st->type = GNUTLS_CRT_X509; |
c56f5979 VI |
312 | #else |
313 | st->cert_type = GNUTLS_CRT_X509; | |
314 | st->key_type = GNUTLS_PRIVKEY_X509; | |
315 | #endif | |
2bd29df9 AB |
316 | st->ncerts = x509_cert_count; |
317 | st->cert.x509 = x509_cert; | |
318 | st->key.x509 = x509_key; | |
c56f5979 | 319 | st->deinit_all = 0; |
2bd29df9 AB |
320 | |
321 | return 0; | |
322 | } | |
323 | ||
324 | static void | |
325 | rb_free_datum_t(gnutls_datum_t * d) | |
326 | { | |
327 | rb_free(d->data); | |
328 | rb_free(d); | |
329 | } | |
330 | ||
331 | static gnutls_datum_t * | |
332 | rb_load_file_into_datum_t(const char *file) | |
333 | { | |
334 | FILE *f; | |
335 | gnutls_datum_t *datum; | |
336 | struct stat fileinfo; | |
337 | if((f = fopen(file, "r")) == NULL) | |
338 | return NULL; | |
339 | if(fstat(fileno(f), &fileinfo)) | |
340 | return NULL; | |
341 | ||
342 | datum = rb_malloc(sizeof(gnutls_datum_t)); | |
343 | ||
344 | if(fileinfo.st_size > 131072) /* deal with retards */ | |
345 | datum->size = 131072; | |
346 | else | |
347 | datum->size = fileinfo.st_size; | |
348 | ||
349 | datum->data = rb_malloc(datum->size + 1); | |
350 | fread(datum->data, datum->size, 1, f); | |
351 | fclose(f); | |
352 | return datum; | |
353 | } | |
354 | ||
355 | int | |
c1725bda | 356 | rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list) |
2bd29df9 AB |
357 | { |
358 | int ret; | |
673ec98e | 359 | const char *err; |
2bd29df9 AB |
360 | gnutls_datum_t *d_cert, *d_key; |
361 | if(cert == NULL) | |
362 | { | |
363 | rb_lib_log("rb_setup_ssl_server: No certificate file"); | |
364 | return 0; | |
365 | } | |
366 | ||
367 | if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) | |
368 | { | |
369 | rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); | |
370 | return 0; | |
371 | } | |
372 | ||
373 | if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) | |
374 | { | |
375 | rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); | |
376 | return 0; | |
377 | } | |
378 | ||
379 | /* In addition to creating the certificate set, we also need to store our cert elsewhere | |
380 | * so we can force GnuTLS to identify with it when acting as a client. | |
381 | */ | |
382 | gnutls_x509_privkey_init(&x509_key); | |
383 | if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) | |
384 | { | |
385 | rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret)); | |
386 | return 0; | |
387 | } | |
388 | ||
389 | x509_cert_count = MAX_CERTS; | |
390 | if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM, | |
391 | GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0) | |
392 | { | |
393 | rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret)); | |
394 | return 0; | |
395 | } | |
396 | x509_cert_count = ret; | |
397 | ||
398 | if((ret = | |
399 | gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, | |
400 | GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) | |
401 | { | |
402 | rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", | |
403 | gnutls_strerror(ret)); | |
404 | return 0; | |
405 | } | |
406 | ||
407 | rb_free_datum_t(d_cert); | |
408 | rb_free_datum_t(d_key); | |
409 | ||
410 | if(dhfile != NULL) | |
411 | { | |
412 | if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) | |
413 | { | |
414 | gnutls_datum_t *data; | |
415 | int xret; | |
416 | data = rb_load_file_into_datum_t(dhfile); | |
417 | if(data != NULL) | |
418 | { | |
419 | xret = gnutls_dh_params_import_pkcs3(dh_params, data, | |
420 | GNUTLS_X509_FMT_PEM); | |
421 | if(xret < 0) | |
422 | rb_lib_log | |
423 | ("rb_setup_ssl_server: Error parsing DH file: %s\n", | |
424 | gnutls_strerror(xret)); | |
425 | rb_free_datum_t(data); | |
426 | } | |
427 | gnutls_certificate_set_dh_params(x509, dh_params); | |
428 | } | |
429 | else | |
430 | rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); | |
431 | } | |
c1725bda | 432 | |
7233e364 | 433 | ret = gnutls_priority_init(&default_priority, cipher_list, &err); |
673ec98e AC |
434 | if (ret < 0) |
435 | { | |
436 | rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err); | |
437 | gnutls_priority_init(&default_priority, NULL, &err); | |
438 | return 1; | |
439 | } | |
440 | ||
2bd29df9 AB |
441 | return 1; |
442 | } | |
443 | ||
444 | int | |
445 | rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept) | |
446 | { | |
447 | int result; | |
448 | ||
fab6f9e8 | 449 | result = rb_listen(F, backlog, defer_accept); |
2bd29df9 AB |
450 | F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; |
451 | ||
452 | return result; | |
453 | } | |
454 | ||
455 | struct ssl_connect | |
456 | { | |
457 | CNCB *callback; | |
458 | void *data; | |
459 | int timeout; | |
460 | }; | |
461 | ||
462 | static void | |
463 | rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn) | |
464 | { | |
465 | F->connect->callback = sconn->callback; | |
466 | F->connect->data = sconn->data; | |
467 | rb_free(sconn); | |
468 | rb_connect_callback(F, status); | |
469 | } | |
470 | ||
471 | static void | |
472 | rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data) | |
473 | { | |
474 | rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data); | |
475 | } | |
476 | ||
477 | static void | |
478 | rb_ssl_tryconn_cb(rb_fde_t *F, void *data) | |
479 | { | |
480 | struct ssl_connect *sconn = data; | |
481 | int ret; | |
482 | ||
483 | ret = do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn); | |
484 | ||
485 | switch (ret) | |
486 | { | |
487 | case -1: | |
488 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
489 | break; | |
490 | case 0: | |
491 | /* do_ssl_handshake does the rb_setselect stuff */ | |
492 | return; | |
493 | default: | |
494 | break; | |
495 | ||
496 | ||
497 | } | |
498 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
499 | } | |
500 | ||
501 | static void | |
502 | rb_ssl_tryconn(rb_fde_t *F, int status, void *data) | |
503 | { | |
504 | struct ssl_connect *sconn = data; | |
505 | if(status != RB_OK) | |
506 | { | |
507 | rb_ssl_connect_realcb(F, status, sconn); | |
508 | return; | |
509 | } | |
510 | ||
511 | F->type |= RB_FD_SSL; | |
512 | ||
513 | ||
514 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); | |
515 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); | |
516 | gnutls_init(F->ssl, GNUTLS_CLIENT); | |
517 | gnutls_set_default_priority(SSL_P(F)); | |
518 | gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509); | |
519 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); | |
520 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
673ec98e | 521 | gnutls_priority_set(SSL_P(F), default_priority); |
2bd29df9 AB |
522 | |
523 | do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn); | |
524 | } | |
525 | ||
526 | void | |
527 | rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest, | |
528 | struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout) | |
529 | { | |
530 | struct ssl_connect *sconn; | |
531 | if(F == NULL) | |
532 | return; | |
533 | ||
534 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
535 | sconn->data = data; | |
536 | sconn->callback = callback; | |
537 | sconn->timeout = timeout; | |
538 | rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout); | |
539 | ||
540 | } | |
541 | ||
542 | void | |
543 | rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) | |
544 | { | |
545 | struct ssl_connect *sconn; | |
546 | if(F == NULL) | |
547 | return; | |
548 | ||
549 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
550 | sconn->data = data; | |
551 | sconn->callback = callback; | |
552 | sconn->timeout = timeout; | |
553 | F->connect = rb_malloc(sizeof(struct conndata)); | |
554 | F->connect->callback = callback; | |
555 | F->connect->data = data; | |
556 | F->type |= RB_FD_SSL; | |
557 | F->ssl = rb_malloc(sizeof(gnutls_session_t)); | |
558 | ||
559 | gnutls_init(F->ssl, GNUTLS_CLIENT); | |
560 | gnutls_set_default_priority(SSL_P(F)); | |
561 | gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509); | |
562 | gnutls_dh_set_prime_bits(SSL_P(F), 1024); | |
563 | gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd); | |
673ec98e | 564 | gnutls_priority_set(SSL_P(F), default_priority); |
2bd29df9 AB |
565 | |
566 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); | |
567 | ||
568 | do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn); | |
569 | } | |
570 | ||
571 | int | |
572 | rb_init_prng(const char *path, prng_seed_t seed_type) | |
573 | { | |
7aa40f6d | 574 | #if GNUTLS_VERSION_MAJOR < 3 |
2bd29df9 | 575 | gcry_fast_random_poll(); |
7aa40f6d | 576 | #endif |
2bd29df9 AB |
577 | return 1; |
578 | } | |
579 | ||
580 | int | |
581 | rb_get_random(void *buf, size_t length) | |
582 | { | |
7aa40f6d | 583 | #if GNUTLS_VERSION_MAJOR < 3 |
2bd29df9 | 584 | gcry_randomize(buf, length, GCRY_STRONG_RANDOM); |
7aa40f6d AC |
585 | #else |
586 | gnutls_rnd(GNUTLS_RND_KEY, buf, length); | |
587 | #endif | |
2bd29df9 AB |
588 | return 1; |
589 | } | |
590 | ||
2bd29df9 AB |
591 | const char * |
592 | rb_get_ssl_strerror(rb_fde_t *F) | |
593 | { | |
594 | return gnutls_strerror(F->ssl_errno); | |
595 | } | |
596 | ||
597 | int | |
e6bbb410 | 598 | rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) |
2bd29df9 AB |
599 | { |
600 | gnutls_x509_crt_t cert; | |
e6bbb410 | 601 | gnutls_digest_algorithm_t algo; |
2bd29df9 AB |
602 | unsigned int cert_list_size; |
603 | const gnutls_datum_t *cert_list; | |
604 | uint8_t digest[RB_SSL_CERTFP_LEN * 2]; | |
605 | size_t digest_size; | |
e6bbb410 | 606 | int len; |
2bd29df9 AB |
607 | |
608 | if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509) | |
609 | return 0; | |
610 | ||
611 | if (gnutls_x509_crt_init(&cert) < 0) | |
612 | return 0; | |
613 | ||
614 | cert_list_size = 0; | |
615 | cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size); | |
616 | if (cert_list == NULL) | |
617 | { | |
618 | gnutls_x509_crt_deinit(cert); | |
619 | return 0; | |
620 | } | |
621 | ||
622 | if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0) | |
623 | { | |
624 | gnutls_x509_crt_deinit(cert); | |
625 | return 0; | |
626 | } | |
627 | ||
e6bbb410 EM |
628 | switch(method) |
629 | { | |
630 | case RB_SSL_CERTFP_METH_SHA1: | |
631 | algo = GNUTLS_DIG_SHA1; | |
632 | len = RB_SSL_CERTFP_LEN_SHA1; | |
633 | break; | |
634 | case RB_SSL_CERTFP_METH_SHA256: | |
635 | algo = GNUTLS_DIG_SHA256; | |
636 | len = RB_SSL_CERTFP_LEN_SHA256; | |
637 | break; | |
638 | case RB_SSL_CERTFP_METH_SHA512: | |
639 | algo = GNUTLS_DIG_SHA512; | |
640 | len = RB_SSL_CERTFP_LEN_SHA512; | |
641 | break; | |
642 | default: | |
643 | return 0; | |
644 | } | |
645 | ||
646 | if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0) | |
2bd29df9 AB |
647 | { |
648 | gnutls_x509_crt_deinit(cert); | |
649 | return 0; | |
650 | } | |
651 | ||
e6bbb410 | 652 | memcpy(certfp, digest, len); |
2bd29df9 AB |
653 | |
654 | gnutls_x509_crt_deinit(cert); | |
e6bbb410 | 655 | return len; |
2bd29df9 AB |
656 | } |
657 | ||
658 | int | |
659 | rb_supports_ssl(void) | |
660 | { | |
661 | return 1; | |
662 | } | |
663 | ||
664 | void | |
665 | rb_get_ssl_info(char *buf, size_t len) | |
666 | { | |
5203cba5 | 667 | snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)", |
2bd29df9 AB |
668 | LIBGNUTLS_VERSION, gnutls_check_version(NULL)); |
669 | } | |
55abcbb2 | 670 | |
833b2f9c AC |
671 | const char * |
672 | rb_ssl_get_cipher(rb_fde_t *F) | |
673 | { | |
674 | static char buf[1024]; | |
675 | ||
5203cba5 | 676 | snprintf(buf, sizeof(buf), "%s-%s-%s-%s", |
833b2f9c AC |
677 | gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))), |
678 | gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))), | |
679 | gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))), | |
680 | gnutls_mac_get_name(gnutls_mac_get(SSL_P(F)))); | |
681 | ||
682 | return buf; | |
683 | } | |
55abcbb2 | 684 | |
2bd29df9 | 685 | #endif /* HAVE_GNUTLS */ |