[solanum.git] / libratbox / src / openssl.c

/*
 *  libratbox: a library used by ircd-ratbox and other things
 *  openssl.c: openssl related code
 *
 *  Copyright (C) 2007-2008 ircd-ratbox development team
 *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
 *  USA
 *
 *  $Id: commio.c 24808 2008-01-02 08:17:05Z androsyn $
 */

#include <libratbox_config.h>
#include <ratbox_lib.h>

#ifdef HAVE_OPENSSL

#include <commio-int.h>
#include <commio-ssl.h>
#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/opensslv.h>

/*
 * This is a mess but what can you do when the library authors
 * refuse to play ball with established conventions?
 */
#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
#  define LRB_HAVE_TLS_METHOD_API 1
#else
#  if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
#    define LRB_HAVE_TLS_METHOD_API 1
#  endif
#endif

static SSL_CTX *ssl_server_ctx;
static SSL_CTX *ssl_client_ctx;
static int libratbox_index = -1;

static unsigned long
get_last_err(void)
{
	unsigned long t_err, err = 0;
	err = ERR_get_error();
	if(err == 0)
		return 0;

	while((t_err = ERR_get_error()) > 0)
		err = t_err;

	return err;
}

void
rb_ssl_shutdown(rb_fde_t *F)
{
	int i;
	if(F == NULL || F->ssl == NULL)
		return;
	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);

	for(i = 0; i < 4; i++)
	{
		if(SSL_shutdown((SSL *) F->ssl))
			break;
	}
	get_last_err();
	SSL_free((SSL *) F->ssl);
}

unsigned int
rb_ssl_handshake_count(rb_fde_t *F)
{
	return F->handshake_count;
}

void
rb_ssl_clear_handshake_count(rb_fde_t *F)
{
	F->handshake_count = 0;
}

static void
rb_ssl_timeout(rb_fde_t *F, void *notused)
{
	lrb_assert(F->accept != NULL);
	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
}


static void
rb_ssl_info_callback(SSL * ssl, int where, int ret)
{
	if(where & SSL_CB_HANDSHAKE_START)
	{
		rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
		if(F == NULL)
			return;
		F->handshake_count++;
	}
}

static void
rb_setup_ssl_cb(rb_fde_t *F)
{
	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
	SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
}

static void
rb_ssl_tryaccept(rb_fde_t *F, void *data)
{
	int ssl_err;
	lrb_assert(F->accept != NULL);
	int flags;
	struct acceptdata *ad;

	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
				if(ssl_err == SSL_ERROR_WANT_WRITE)
					flags = RB_SELECT_WRITE;
				else
					flags = RB_SELECT_READ;
				F->ssl_errno = get_last_err();
				rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
				break;
			case SSL_ERROR_SYSCALL:
				F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
				break;
			default:
				F->ssl_errno = get_last_err();
				F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
				break;
			}
			return;
		}
	}
	rb_settimeout(F, 0, NULL, NULL);
	rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);

	ad = F->accept;
	F->accept = NULL;
	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
	rb_free(ad);

}


static void
rb_ssl_accept_common(rb_fde_t *new_F)
{
	int ssl_err;
	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					new_F->ssl_errno = get_last_err();
					rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryaccept, NULL);
					return;
				}
		default:
			new_F->ssl_errno = get_last_err();
			new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
			return;
		}
	}
	else
	{
		rb_ssl_tryaccept(new_F, NULL);
	}
}

void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = cb;
	new_F->accept->data = data;
	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);

	new_F->accept->addrlen = 0;
	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}


void
rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
{
	new_F->type |= RB_FD_SSL;
	new_F->ssl = SSL_new(ssl_server_ctx);
	new_F->accept = rb_malloc(sizeof(struct acceptdata));

	new_F->accept->callback = F->accept->callback;
	new_F->accept->data = F->accept->data;
	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	memcpy(&new_F->accept->S, st, addrlen);
	new_F->accept->addrlen = addrlen;

	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	rb_setup_ssl_cb(new_F);
	rb_ssl_accept_common(new_F);
}

static ssize_t
rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
{
	ssize_t ret;
	unsigned long err;
	SSL *ssl = F->ssl;

	if(r_or_w == 0)
		ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
	else
		ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);

	if(ret < 0)
	{
		switch (SSL_get_error(ssl, ret))
		{
		case SSL_ERROR_WANT_READ:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_READ;
		case SSL_ERROR_WANT_WRITE:
			errno = EAGAIN;
			return RB_RW_SSL_NEED_WRITE;
		case SSL_ERROR_ZERO_RETURN:
			return 0;
		case SSL_ERROR_SYSCALL:
			err = get_last_err();
			if(err == 0)
			{
				F->ssl_errno = 0;
				return RB_RW_IO_ERROR;
			}
			break;
		default:
			err = get_last_err();
			break;
		}
		F->ssl_errno = err;
		if(err > 0)
		{
			errno = EIO;	/* not great but... */
			return RB_RW_SSL_ERROR;
		}
		return RB_RW_IO_ERROR;
	}
	return ret;
}

ssize_t
rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
{
	return rb_ssl_read_or_write(0, F, buf, NULL, count);
}

ssize_t
rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
{
	return rb_ssl_read_or_write(1, F, NULL, buf, count);
}

static int
verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
	return 1;
}

static const char *
get_ssl_error(unsigned long err)
{
	static char buf[512];

	ERR_error_string_n(err, buf, sizeof buf);
	return buf;
}

int
rb_init_ssl(void)
{
	int ret = 1;
	char libratbox_data[] = "libratbox data";
	const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
	SSL_load_error_strings();
	SSL_library_init();
	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);

#ifndef LRB_HAVE_TLS_METHOD_API
	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
#else
	ssl_server_ctx = SSL_CTX_new(TLS_server_method());
#endif

	if(ssl_server_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
			   get_ssl_error(ERR_get_error()));
		ret = 0;
	}

	long server_options = SSL_CTX_get_options(ssl_server_ctx);

#ifndef LRB_HAVE_TLS_METHOD_API
	server_options |= SSL_OP_NO_SSLv2;
	server_options |= SSL_OP_NO_SSLv3;
#endif

#ifdef SSL_OP_SINGLE_DH_USE
	server_options |= SSL_OP_SINGLE_DH_USE;
#endif

#ifdef SSL_OP_SINGLE_ECDH_USE
	server_options |= SSL_OP_SINGLE_ECDH_USE;
#endif

#ifdef SSL_OP_NO_TICKET
	server_options |= SSL_OP_NO_TICKET;
#endif

	server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;

	SSL_CTX_set_options(ssl_server_ctx, server_options);
	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
	SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
	SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);

	/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
	   and bastardise their OpenSSL for stupid reasons... */
	#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
		EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
		if (key) {
			SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
			EC_KEY_free(key);
		}
	#endif

#ifndef LRB_HAVE_TLS_METHOD_API
	ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
#else
	ssl_client_ctx = SSL_CTX_new(TLS_client_method());
#endif

	if(ssl_client_ctx == NULL)
	{
		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
			   get_ssl_error(ERR_get_error()));
		ret = 0;
	}

#ifndef LRB_HAVE_TLS_METHOD_API
	SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
#endif

#ifdef SSL_OP_NO_TICKET
	SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif

	SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);

	return ret;
}


int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile)
{
	DH *dh;
	unsigned long err;
	if(cert == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No certificate file");
		return 0;
	}
	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
			   get_ssl_error(err));
		return 0;
	}

	if(keyfile == NULL)
	{
		rb_lib_log("rb_setup_ssl_server: No key file");
		return 0;
	}


	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
	{
		err = ERR_get_error();
		rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
			   get_ssl_error(err));
		return 0;
	}

	if(dhfile != NULL)
	{
		/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
		BIO *bio = BIO_new_file(dhfile, "r");
		if(bio != NULL)
		{
			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
			if(dh == NULL)
			{
				err = ERR_get_error();
				rb_lib_log
					("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
					 dhfile, get_ssl_error(err));
				BIO_free(bio);
				return 0;
			}
			BIO_free(bio);
			SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
		}
		else
		{
			err = ERR_get_error();
			rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
				   dhfile, get_ssl_error(err));
		}
	}
	return 1;
}

int
rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
{
	int result;

	result = rb_listen(F, backlog, defer_accept);
	F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;

	return result;
}

struct ssl_connect
{
	CNCB *callback;
	void *data;
	int timeout;
};

static void
rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
{
	F->connect->callback = sconn->callback;
	F->connect->data = sconn->data;
	rb_free(sconn);
	rb_connect_callback(F, status);
}

static void
rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
{
	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
}

static void
rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(!SSL_is_init_finished((SSL *) F->ssl))
	{
		if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
		{
			switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
			{
			case SSL_ERROR_SYSCALL:
				if(rb_ignore_errno(errno))
			case SSL_ERROR_WANT_READ:
			case SSL_ERROR_WANT_WRITE:
					{
						F->ssl_errno = get_last_err();
						rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
							     rb_ssl_tryconn_cb, sconn);
						return;
					}
			default:
				F->ssl_errno = get_last_err();
				rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
				return;
			}
		}
		else
		{
			rb_ssl_connect_realcb(F, RB_OK, sconn);
		}
	}
}

static void
rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
{
	struct ssl_connect *sconn = data;
	int ssl_err;
	if(status != RB_OK)
	{
		rb_ssl_connect_realcb(F, status, sconn);
		return;
	}

	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);
	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

void
rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
		   struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);

}

void
rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
{
	struct ssl_connect *sconn;
	int ssl_err;
	if(F == NULL)
		return;

	sconn = rb_malloc(sizeof(struct ssl_connect));
	sconn->data = data;
	sconn->callback = callback;
	sconn->timeout = timeout;
	F->connect = rb_malloc(sizeof(struct conndata));
	F->connect->callback = callback;
	F->connect->data = data;
	F->type |= RB_FD_SSL;
	F->ssl = SSL_new(ssl_client_ctx);

	SSL_set_fd((SSL *) F->ssl, F->fd);
	rb_setup_ssl_cb(F);
	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	{
		switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
		{
		case SSL_ERROR_SYSCALL:
			if(rb_ignore_errno(errno))
		case SSL_ERROR_WANT_READ:
		case SSL_ERROR_WANT_WRITE:
				{
					F->ssl_errno = get_last_err();
					rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
						     rb_ssl_tryconn_cb, sconn);
					return;
				}
		default:
			F->ssl_errno = get_last_err();
			rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
			return;
		}
	}
	else
	{
		rb_ssl_connect_realcb(F, RB_OK, sconn);
	}
}

int
rb_init_prng(const char *path, prng_seed_t seed_type)
{
	if(seed_type == RB_PRNG_DEFAULT)
	{
#ifdef _WIN32
		RAND_screen();
#endif
		return RAND_status();
	}
	if(path == NULL)
		return RAND_status();

	switch (seed_type)
	{
	case RB_PRNG_FILE:
		if(RAND_load_file(path, -1) == -1)
			return -1;
		break;
#ifdef _WIN32
	case RB_PRNGWIN32:
		RAND_screen();
		break;
#endif
	default:
		return -1;
	}

	return RAND_status();
}

int
rb_get_random(void *buf, size_t length)
{
	int ret;

	if((ret = RAND_bytes(buf, length)) == 0)
	{
		/* remove the error from the queue */
		ERR_get_error();
	}
	return ret;
}

const char *
rb_get_ssl_strerror(rb_fde_t *F)
{
	return get_ssl_error(F->ssl_errno);
}

int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
	X509 *cert;
	int res;

	if (F->ssl == NULL)
		return 0;

	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	if(cert != NULL)
	{
		res = SSL_get_verify_result((SSL *) F->ssl);
		if(
			res == X509_V_OK ||
			res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
			res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
			res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
			res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
		{
			const EVP_MD *evp;
			unsigned int len;

			switch(method)
			{
			case RB_SSL_CERTFP_METH_SHA1:
				evp = EVP_sha1();
				len = RB_SSL_CERTFP_LEN_SHA1;
				break;
			case RB_SSL_CERTFP_METH_SHA256:
				evp = EVP_sha256();
				len = RB_SSL_CERTFP_LEN_SHA256;
				break;
			case RB_SSL_CERTFP_METH_SHA512:
				evp = EVP_sha512();
				len = RB_SSL_CERTFP_LEN_SHA512;
				break;
			default:
				return 0;
			}

			X509_digest(cert, evp, certfp, &len);
			X509_free(cert);
			return len;
		}
		X509_free(cert);
	}

	return 0;
}

int
rb_supports_ssl(void)
{
	return 1;
}

void
rb_get_ssl_info(char *buf, size_t len)
{
	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
		    SSLeay_version(SSLEAY_VERSION),
		    (long)OPENSSL_VERSION_NUMBER, SSLeay());
}

const char *
rb_ssl_get_cipher(rb_fde_t *F)
{
	const SSL_CIPHER *sslciph;

	if(F == NULL || F->ssl == NULL)
		return NULL;

	if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
		return NULL;

	return SSL_CIPHER_get_name(sslciph);
}

#endif /* HAVE_OPESSL */
Commit	Line	Data
db137867 AC	1	/*
	2	* libratbox: a library used by ircd-ratbox and other things
	3	* openssl.c: openssl related code
	4	*
	5	* Copyright (C) 2007-2008 ircd-ratbox development team
	6	* Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
55abcbb2	17	*
db137867 AC	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	21	* USA
	22	*
	23	* $Id: commio.c 24808 2008-01-02 08:17:05Z androsyn $
	24	*/
	25
	26	#include <libratbox_config.h>
	27	#include <ratbox_lib.h>
	28
	29	#ifdef HAVE_OPENSSL
	30
	31	#include <commio-int.h>
	32	#include <commio-ssl.h>
	33	#include <openssl/ssl.h>
	34	#include <openssl/dh.h>
	35	#include <openssl/err.h>
d3806d05	36	#include <openssl/evp.h>
db137867	37	#include <openssl/rand.h>
3ae24413 AJ	38	#include <openssl/opensslv.h>
	39
	40	/*
	41	* This is a mess but what can you do when the library authors
	42	* refuse to play ball with established conventions?
	43	*/
	44	#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
	45	# define LRB_HAVE_TLS_METHOD_API 1
	46	#else
	47	# if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
	48	# define LRB_HAVE_TLS_METHOD_API 1
	49	# endif
	50	#endif
db137867 AC	51
	52	static SSL_CTX *ssl_server_ctx;
	53	static SSL_CTX *ssl_client_ctx;
c2ac22cc	54	static int libratbox_index = -1;
db137867	55
3202e249 VY	56	static unsigned long
3202e249 VY	57	get_last_err(void)
db137867 AC	58	{
	59	unsigned long t_err, err = 0;
	60	err = ERR_get_error();
	61	if(err == 0)
	62	return 0;
3202e249	63
db137867 AC	64	while((t_err = ERR_get_error()) > 0)
	65	err = t_err;
	66
	67	return err;
	68	}
	69
	70	void
3202e249	71	rb_ssl_shutdown(rb_fde_t *F)
db137867 AC	72	{
	73	int i;
	74	if(F == NULL \|\| F->ssl == NULL)
	75	return;
	76	SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
	77
3202e249	78	for(i = 0; i < 4; i++)
db137867 AC	79	{
	80	if(SSL_shutdown((SSL *) F->ssl))
	81	break;
	82	}
	83	get_last_err();
	84	SSL_free((SSL *) F->ssl);
	85	}
	86
c2ac22cc VY	87	unsigned int
	88	rb_ssl_handshake_count(rb_fde_t *F)
	89	{
	90	return F->handshake_count;
	91	}
	92
	93	void
	94	rb_ssl_clear_handshake_count(rb_fde_t *F)
	95	{
	96	F->handshake_count = 0;
	97	}
	98
db137867	99	static void
3202e249	100	rb_ssl_timeout(rb_fde_t F, void notused)
db137867	101	{
73d6283c VY	102	lrb_assert(F->accept != NULL);
73d6283c VY	103	F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
db137867 AC	104	}
	105
	106
3202e249 VY	107	static void
3202e249 VY	108	rb_ssl_info_callback(SSL * ssl, int where, int ret)
c2ac22cc VY	109	{
	110	if(where & SSL_CB_HANDSHAKE_START)
	111	{
	112	rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
	113	if(F == NULL)
	114	return;
	115	F->handshake_count++;
3202e249	116	}
c2ac22cc VY	117	}
	118
	119	static void
	120	rb_setup_ssl_cb(rb_fde_t *F)
	121	{
	122	SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
3202e249	123	SSL_set_info_callback((SSL ) F->ssl, (void ()(const SSL *,int,int))rb_ssl_info_callback);
c2ac22cc VY	124	}
c2ac22cc VY	125
db137867	126	static void
3202e249	127	rb_ssl_tryaccept(rb_fde_t F, void data)
db137867 AC	128	{
	129	int ssl_err;
	130	lrb_assert(F->accept != NULL);
73d6283c	131	int flags;
2142f691	132	struct acceptdata *ad;
db137867 AC	133
	134	if(!SSL_is_init_finished((SSL *) F->ssl))
	135	{
	136	if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
	137	{
	138	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	139	{
db137867 AC	140	case SSL_ERROR_WANT_READ:
db137867 AC	141	case SSL_ERROR_WANT_WRITE:
73d6283c VY	142	if(ssl_err == SSL_ERROR_WANT_WRITE)
	143	flags = RB_SELECT_WRITE;
	144	else
	145	flags = RB_SELECT_READ;
	146	F->ssl_errno = get_last_err();
	147	rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
	148	break;
	149	case SSL_ERROR_SYSCALL:
	150	F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
	151	break;
db137867 AC	152	default:
	153	F->ssl_errno = get_last_err();
	154	F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
	155	break;
	156	}
	157	return;
	158	}
	159	}
	160	rb_settimeout(F, 0, NULL, NULL);
	161	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE, NULL, NULL);
3202e249	162
2142f691	163	ad = F->accept;
db137867	164	F->accept = NULL;
3202e249	165	ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
2142f691	166	rb_free(ad);
db137867 AC	167
	168	}
	169
c2ac22cc VY	170
	171	static void
	172	rb_ssl_accept_common(rb_fde_t *new_F)
db137867 AC	173	{
db137867 AC	174	int ssl_err;
db137867 AC	175	if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
	176	{
	177	switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
	178	{
	179	case SSL_ERROR_SYSCALL:
	180	if(rb_ignore_errno(errno))
	181	case SSL_ERROR_WANT_READ:
	182	case SSL_ERROR_WANT_WRITE:
	183	{
	184	new_F->ssl_errno = get_last_err();
	185	rb_setselect(new_F, RB_SELECT_READ \| RB_SELECT_WRITE,
	186	rb_ssl_tryaccept, NULL);
	187	return;
	188	}
	189	default:
	190	new_F->ssl_errno = get_last_err();
	191	new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
	192	return;
	193	}
	194	}
	195	else
	196	{
	197	rb_ssl_tryaccept(new_F, NULL);
	198	}
	199	}
	200
c2ac22cc	201	void
3202e249	202	rb_ssl_start_accepted(rb_fde_t new_F, ACCB cb, void *data, int timeout)
c2ac22cc VY	203	{
	204	new_F->type \|= RB_FD_SSL;
	205	new_F->ssl = SSL_new(ssl_server_ctx);
	206	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	207
	208	new_F->accept->callback = cb;
	209	new_F->accept->data = data;
	210	rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
	211
	212	new_F->accept->addrlen = 0;
	213	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
	214	rb_setup_ssl_cb(new_F);
	215	rb_ssl_accept_common(new_F);
	216	}
	217
db137867 AC	218
	219
	220
	221	void
3202e249	222	rb_ssl_accept_setup(rb_fde_t F, rb_fde_t new_F, struct sockaddr *st, int addrlen)
db137867	223	{
db137867 AC	224	new_F->type \|= RB_FD_SSL;
	225	new_F->ssl = SSL_new(ssl_server_ctx);
	226	new_F->accept = rb_malloc(sizeof(struct acceptdata));
	227
	228	new_F->accept->callback = F->accept->callback;
	229	new_F->accept->data = F->accept->data;
	230	rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
	231	memcpy(&new_F->accept->S, st, addrlen);
	232	new_F->accept->addrlen = addrlen;
	233
a9fb3ed0	234	SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
c2ac22cc VY	235	rb_setup_ssl_cb(new_F);
c2ac22cc VY	236	rb_ssl_accept_common(new_F);
db137867 AC	237	}
	238
	239	static ssize_t
3202e249	240	rb_ssl_read_or_write(int r_or_w, rb_fde_t F, void rbuf, const void *wbuf, size_t count)
db137867 AC	241	{
	242	ssize_t ret;
	243	unsigned long err;
	244	SSL *ssl = F->ssl;
	245
	246	if(r_or_w == 0)
3202e249	247	ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
db137867	248	else
3202e249	249	ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
db137867 AC	250
	251	if(ret < 0)
	252	{
	253	switch (SSL_get_error(ssl, ret))
	254	{
	255	case SSL_ERROR_WANT_READ:
	256	errno = EAGAIN;
	257	return RB_RW_SSL_NEED_READ;
	258	case SSL_ERROR_WANT_WRITE:
	259	errno = EAGAIN;
	260	return RB_RW_SSL_NEED_WRITE;
	261	case SSL_ERROR_ZERO_RETURN:
	262	return 0;
	263	case SSL_ERROR_SYSCALL:
	264	err = get_last_err();
	265	if(err == 0)
	266	{
	267	F->ssl_errno = 0;
	268	return RB_RW_IO_ERROR;
	269	}
	270	break;
	271	default:
	272	err = get_last_err();
	273	break;
	274	}
	275	F->ssl_errno = err;
	276	if(err > 0)
	277	{
	278	errno = EIO; /* not great but... */
	279	return RB_RW_SSL_ERROR;
	280	}
	281	return RB_RW_IO_ERROR;
	282	}
	283	return ret;
	284	}
	285
	286	ssize_t
3202e249	287	rb_ssl_read(rb_fde_t F, void buf, size_t count)
db137867 AC	288	{
	289	return rb_ssl_read_or_write(0, F, buf, NULL, count);
	290	}
	291
	292	ssize_t
3202e249	293	rb_ssl_write(rb_fde_t F, const void buf, size_t count)
db137867 AC	294	{
	295	return rb_ssl_read_or_write(1, F, NULL, buf, count);
	296	}
	297
7247337a JT	298	static int
	299	verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
	300	{
	301	return 1;
	302	}
	303
918d73d5 JT	304	static const char *
	305	get_ssl_error(unsigned long err)
	306	{
	307	static char buf[512];
	308
	309	ERR_error_string_n(err, buf, sizeof buf);
	310	return buf;
	311	}
	312
db137867 AC	313	int
	314	rb_init_ssl(void)
	315	{
	316	int ret = 1;
c2ac22cc	317	char libratbox_data[] = "libratbox data";
cb266283	318	const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
db137867 AC	319	SSL_load_error_strings();
db137867 AC	320	SSL_library_init();
c2ac22cc	321	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
a4c8c827	322
3ae24413	323	#ifndef LRB_HAVE_TLS_METHOD_API
db137867	324	ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
a4c8c827 AJ	325	#else
	326	ssl_server_ctx = SSL_CTX_new(TLS_server_method());
	327	#endif
	328
db137867 AC	329	if(ssl_server_ctx == NULL)
	330	{
	331	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
918d73d5	332	get_ssl_error(ERR_get_error()));
db137867 AC	333	ret = 0;
db137867 AC	334	}
a4c8c827 AJ	335
	336	long server_options = SSL_CTX_get_options(ssl_server_ctx);
	337
3ae24413	338	#ifndef LRB_HAVE_TLS_METHOD_API
a4c8c827 AJ	339	server_options \|= SSL_OP_NO_SSLv2;
	340	server_options \|= SSL_OP_NO_SSLv3;
	341	#endif
	342
362ef2d9	343	#ifdef SSL_OP_SINGLE_DH_USE
a4c8c827 AJ	344	server_options \|= SSL_OP_SINGLE_DH_USE;
	345	#endif
	346
	347	#ifdef SSL_OP_SINGLE_ECDH_USE
	348	server_options \|= SSL_OP_SINGLE_ECDH_USE;
6b6a5799	349	#endif
a4c8c827	350
6b6a5799	351	#ifdef SSL_OP_NO_TICKET
a4c8c827	352	server_options \|= SSL_OP_NO_TICKET;
362ef2d9	353	#endif
a4c8c827 AJ	354
	355	server_options \|= SSL_OP_CIPHER_SERVER_PREFERENCE;
	356
	357	SSL_CTX_set_options(ssl_server_ctx, server_options);
7247337a	358	SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
989652e7	359	SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
cb266283	360	SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
b6e799f5 AC	361
	362	/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
	363	and bastardise their OpenSSL for stupid reasons... */
a4c8c827	364	#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
9e26f000 KB	365	EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
	366	if (key) {
	367	SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
	368	EC_KEY_free(key);
	369	}
31d22015	370	#endif
3202e249	371
3ae24413	372	#ifndef LRB_HAVE_TLS_METHOD_API
25f7ee7d	373	ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
a4c8c827	374	#else
c86f11da	375	ssl_client_ctx = SSL_CTX_new(TLS_client_method());
a4c8c827	376	#endif
db137867 AC	377
	378	if(ssl_client_ctx == NULL)
	379	{
	380	rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
918d73d5	381	get_ssl_error(ERR_get_error()));
db137867 AC	382	ret = 0;
db137867 AC	383	}
6b6a5799	384
25f7ee7d AJ	385	#ifndef LRB_HAVE_TLS_METHOD_API
	386	SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);
	387	#endif
	388
6b6a5799 AM	389	#ifdef SSL_OP_NO_TICKET
	390	SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
	391	#endif
	392
cb266283 AJ	393	SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
cb266283 AJ	394
db137867 AC	395	return ret;
	396	}
	397
	398
	399	int
	400	rb_setup_ssl_server(const char cert, const char keyfile, const char *dhfile)
	401	{
db137867 AC	402	DH *dh;
	403	unsigned long err;
	404	if(cert == NULL)
	405	{
	406	rb_lib_log("rb_setup_ssl_server: No certificate file");
	407	return 0;
	408	}
07e14084	409	if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) \|\| !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
db137867 AC	410	{
	411	err = ERR_get_error();
	412	rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
918d73d5	413	get_ssl_error(err));
db137867 AC	414	return 0;
	415	}
	416
	417	if(keyfile == NULL)
	418	{
	419	rb_lib_log("rb_setup_ssl_server: No key file");
	420	return 0;
	421	}
	422
	423
07e14084	424	if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) \|\| !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
db137867 AC	425	{
	426	err = ERR_get_error();
	427	rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
918d73d5	428	get_ssl_error(err));
db137867 AC	429	return 0;
	430	}
	431
	432	if(dhfile != NULL)
	433	{
	434	/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
3202e249 VY	435	BIO *bio = BIO_new_file(dhfile, "r");
3202e249 VY	436	if(bio != NULL)
db137867	437	{
3202e249	438	dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
db137867 AC	439	if(dh == NULL)
	440	{
	441	err = ERR_get_error();
	442	rb_lib_log
	443	("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
918d73d5	444	dhfile, get_ssl_error(err));
3202e249	445	BIO_free(bio);
db137867 AC	446	return 0;
db137867 AC	447	}
3202e249	448	BIO_free(bio);
db137867	449	SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
3202e249 VY	450	}
	451	else
	452	{
	453	err = ERR_get_error();
	454	rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
918d73d5	455	dhfile, get_ssl_error(err));
db137867 AC	456	}
	457	}
	458	return 1;
	459	}
	460
	461	int
aa4737a0	462	rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
db137867	463	{
aa4737a0 AC	464	int result;
	465
	466	result = rb_listen(F, backlog, defer_accept);
db137867	467	F->type = RB_FD_SOCKET \| RB_FD_LISTEN \| RB_FD_SSL;
aa4737a0 AC	468
aa4737a0 AC	469	return result;
db137867 AC	470	}
	471
	472	struct ssl_connect
	473	{
	474	CNCB *callback;
	475	void *data;
	476	int timeout;
	477	};
	478
	479	static void
3202e249	480	rb_ssl_connect_realcb(rb_fde_t F, int status, struct ssl_connect sconn)
db137867 AC	481	{
	482	F->connect->callback = sconn->callback;
	483	F->connect->data = sconn->data;
	484	rb_free(sconn);
	485	rb_connect_callback(F, status);
	486	}
	487
	488	static void
3202e249	489	rb_ssl_tryconn_timeout_cb(rb_fde_t F, void data)
db137867 AC	490	{
	491	rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
	492	}
	493
	494	static void
3202e249	495	rb_ssl_tryconn_cb(rb_fde_t F, void data)
db137867 AC	496	{
	497	struct ssl_connect *sconn = data;
	498	int ssl_err;
	499	if(!SSL_is_init_finished((SSL *) F->ssl))
	500	{
	501	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	502	{
	503	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	504	{
	505	case SSL_ERROR_SYSCALL:
	506	if(rb_ignore_errno(errno))
	507	case SSL_ERROR_WANT_READ:
	508	case SSL_ERROR_WANT_WRITE:
	509	{
	510	F->ssl_errno = get_last_err();
	511	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	512	rb_ssl_tryconn_cb, sconn);
	513	return;
	514	}
	515	default:
	516	F->ssl_errno = get_last_err();
	517	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	518	return;
	519	}
	520	}
	521	else
	522	{
	523	rb_ssl_connect_realcb(F, RB_OK, sconn);
	524	}
	525	}
	526	}
	527
	528	static void
3202e249	529	rb_ssl_tryconn(rb_fde_t F, int status, void data)
db137867 AC	530	{
	531	struct ssl_connect *sconn = data;
	532	int ssl_err;
	533	if(status != RB_OK)
	534	{
	535	rb_ssl_connect_realcb(F, status, sconn);
	536	return;
	537	}
	538
	539	F->type \|= RB_FD_SSL;
	540	F->ssl = SSL_new(ssl_client_ctx);
	541	SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc	542	rb_setup_ssl_cb(F);
db137867 AC	543	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	544	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	545	{
	546	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	547	{
	548	case SSL_ERROR_SYSCALL:
	549	if(rb_ignore_errno(errno))
	550	case SSL_ERROR_WANT_READ:
	551	case SSL_ERROR_WANT_WRITE:
	552	{
	553	F->ssl_errno = get_last_err();
	554	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	555	rb_ssl_tryconn_cb, sconn);
	556	return;
	557	}
	558	default:
	559	F->ssl_errno = get_last_err();
	560	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	561	return;
	562	}
	563	}
	564	else
	565	{
	566	rb_ssl_connect_realcb(F, RB_OK, sconn);
	567	}
	568	}
	569
	570	void
3202e249	571	rb_connect_tcp_ssl(rb_fde_t F, struct sockaddr dest,
db137867 AC	572	struct sockaddr clocal, int socklen, CNCB callback, void *data, int timeout)
	573	{
	574	struct ssl_connect *sconn;
	575	if(F == NULL)
	576	return;
	577
	578	sconn = rb_malloc(sizeof(struct ssl_connect));
	579	sconn->data = data;
	580	sconn->callback = callback;
	581	sconn->timeout = timeout;
	582	rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
	583
	584	}
	585
	586	void
3202e249	587	rb_ssl_start_connected(rb_fde_t F, CNCB callback, void *data, int timeout)
db137867 AC	588	{
	589	struct ssl_connect *sconn;
	590	int ssl_err;
	591	if(F == NULL)
	592	return;
	593
	594	sconn = rb_malloc(sizeof(struct ssl_connect));
	595	sconn->data = data;
	596	sconn->callback = callback;
	597	sconn->timeout = timeout;
	598	F->connect = rb_malloc(sizeof(struct conndata));
	599	F->connect->callback = callback;
	600	F->connect->data = data;
	601	F->type \|= RB_FD_SSL;
	602	F->ssl = SSL_new(ssl_client_ctx);
3202e249	603
db137867	604	SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc	605	rb_setup_ssl_cb(F);
db137867 AC	606	rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
	607	if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
	608	{
	609	switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
	610	{
	611	case SSL_ERROR_SYSCALL:
	612	if(rb_ignore_errno(errno))
	613	case SSL_ERROR_WANT_READ:
	614	case SSL_ERROR_WANT_WRITE:
	615	{
	616	F->ssl_errno = get_last_err();
	617	rb_setselect(F, RB_SELECT_READ \| RB_SELECT_WRITE,
	618	rb_ssl_tryconn_cb, sconn);
	619	return;
	620	}
	621	default:
	622	F->ssl_errno = get_last_err();
	623	rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
	624	return;
	625	}
	626	}
	627	else
	628	{
	629	rb_ssl_connect_realcb(F, RB_OK, sconn);
	630	}
	631	}
	632
	633	int
	634	rb_init_prng(const char *path, prng_seed_t seed_type)
	635	{
	636	if(seed_type == RB_PRNG_DEFAULT)
	637	{
3202e249	638	#ifdef _WIN32
db137867 AC	639	RAND_screen();
	640	#endif
	641	return RAND_status();
	642	}
	643	if(path == NULL)
	644	return RAND_status();
	645
	646	switch (seed_type)
	647	{
db137867 AC	648	case RB_PRNG_FILE:
	649	if(RAND_load_file(path, -1) == -1)
	650	return -1;
	651	break;
3202e249	652	#ifdef _WIN32
db137867 AC	653	case RB_PRNGWIN32:
	654	RAND_screen();
	655	break;
	656	#endif
	657	default:
	658	return -1;
	659	}
	660
	661	return RAND_status();
	662	}
	663
	664	int
	665	rb_get_random(void *buf, size_t length)
	666	{
a9fb3ed0	667	int ret;
3202e249	668
a9fb3ed0	669	if((ret = RAND_bytes(buf, length)) == 0)
db137867	670	{
a9fb3ed0	671	/* remove the error from the queue */
3202e249	672	ERR_get_error();
db137867	673	}
a9fb3ed0	674	return ret;
db137867 AC	675	}
db137867 AC	676
db137867	677	const char *
3202e249	678	rb_get_ssl_strerror(rb_fde_t *F)
db137867	679	{
918d73d5	680	return get_ssl_error(F->ssl_errno);
db137867 AC	681	}
db137867 AC	682
7247337a	683	int
e6bbb410	684	rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
7247337a JT	685	{
	686	X509 *cert;
	687	int res;
	688
	689	if (F->ssl == NULL)
	690	return 0;
	691
	692	cert = SSL_get_peer_certificate((SSL *) F->ssl);
	693	if(cert != NULL)
	694	{
	695	res = SSL_get_verify_result((SSL *) F->ssl);
614502a6 AJ	696	if(
	697	res == X509_V_OK \|\|
	698	res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN \|\|
	699	res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \|\|
	700	res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \|\|
	701	res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
7247337a	702	{
e6bbb410 EM	703	const EVP_MD *evp;
	704	unsigned int len;
	705
	706	switch(method)
	707	{
	708	case RB_SSL_CERTFP_METH_SHA1:
	709	evp = EVP_sha1();
	710	len = RB_SSL_CERTFP_LEN_SHA1;
	711	break;
	712	case RB_SSL_CERTFP_METH_SHA256:
	713	evp = EVP_sha256();
	714	len = RB_SSL_CERTFP_LEN_SHA256;
	715	break;
	716	case RB_SSL_CERTFP_METH_SHA512:
	717	evp = EVP_sha512();
	718	len = RB_SSL_CERTFP_LEN_SHA512;
	719	break;
	720	default:
	721	return 0;
	722	}
	723
	724	X509_digest(cert, evp, certfp, &len);
97b0e99e	725	X509_free(cert);
e6bbb410	726	return len;
7247337a	727	}
b2d64e51	728	X509_free(cert);
7247337a JT	729	}
	730
	731	return 0;
	732	}
	733
db137867 AC	734	int
	735	rb_supports_ssl(void)
	736	{
	737	return 1;
	738	}
	739
030272f3 VY	740	void
	741	rb_get_ssl_info(char *buf, size_t len)
	742	{
55abcbb2	743	rb_snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
e732a57b JT	744	SSLeay_version(SSLEAY_VERSION),
e732a57b JT	745	(long)OPENSSL_VERSION_NUMBER, SSLeay());
030272f3 VY	746	}
030272f3 VY	747
833b2f9c AC	748	const char *
	749	rb_ssl_get_cipher(rb_fde_t *F)
	750	{
	751	const SSL_CIPHER *sslciph;
	752
	753	if(F == NULL \|\| F->ssl == NULL)
	754	return NULL;
	755
	756	if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
	757	return NULL;
	758
	759	return SSL_CIPHER_get_name(sslciph);
	760	}
030272f3	761
db137867	762	#endif /* HAVE_OPESSL */