]> jfr.im git - solanum.git/blame - librb/src/gnutls.c
projects / solanum.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[openssl] Forward-port some more cleanups from fixes to 3.5
[solanum.git] / librb / src / gnutls.c
CommitLineData
2bd29df9 1/*
fe037171 2 * librb: a library used by charybdis and other things
2bd29df9
AB		 3 * gnutls.c: gnutls related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
55abcbb2 17 *
2bd29df9
AB		 18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
2bd29df9
AB		 23 */
24
fe037171
EM		 25#include <librb_config.h>
26#include <rb_lib.h>
2bd29df9
AB		 27#include <commio-int.h>
28#include <commio-ssl.h>
cf430c1a 29#include <stdbool.h>
2bd29df9
AB		 30#ifdef HAVE_GNUTLS
31
32#include <gnutls/gnutls.h>
33#include <gnutls/x509.h>
cf430c1a 34#include <gnutls/abstract.h>
7aa40f6d 35
c56f5979 36#if (GNUTLS_VERSION_MAJOR < 3)
7aa40f6d 37# include <gcrypt.h>
c56f5979
VI		 38#else
39# include <gnutls/crypto.h>
7aa40f6d 40#endif
2bd29df9 41
c56f5979
VI		 42static gnutls_certificate_credentials_t x509;
43static gnutls_dh_params_t dh_params;
673ec98e 44static gnutls_priority_t default_priority;
2bd29df9
AB		 45
46/* These are all used for getting GnuTLS to supply a client cert. */
47#define MAX_CERTS 6
48static unsigned int x509_cert_count;
49static gnutls_x509_crt_t x509_cert[MAX_CERTS];
50static gnutls_x509_privkey_t x509_key;
f7036bbe 51#if GNUTLS_VERSION_MAJOR < 3
2bd29df9
AB		 52static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
53 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st);
f7036bbe
AC		 54#else
55static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
56 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st);
57#endif
2bd29df9
AB		 58
59#define SSL_P(x) *((gnutls_session_t *)F->ssl)
60
61void
62rb_ssl_shutdown(rb_fde_t *F)
63{
64 int i;
65 if(F == NULL || F->ssl == NULL)
66 return;
67 for(i = 0; i < 4; i++)
68 {
69 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
70 break;
71 }
72 gnutls_deinit(SSL_P(F));
73 rb_free(F->ssl);
74}
75
76unsigned int
77rb_ssl_handshake_count(rb_fde_t *F)
78{
79 return F->handshake_count;
80}
81
82void
83rb_ssl_clear_handshake_count(rb_fde_t *F)
84{
85 F->handshake_count = 0;
86}
87
88static void
89rb_ssl_timeout(rb_fde_t *F, void *notused)
90{
91 lrb_assert(F->accept != NULL);
92 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
93}
94
95
96static int
97do_ssl_handshake(rb_fde_t *F, PF * callback, void *data)
98{
99 int ret;
100 int flags;
101
102 ret = gnutls_handshake(SSL_P(F));
103 if(ret < 0)
104 {
105 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
106 {
107 if(gnutls_record_get_direction(SSL_P(F)) == 0)
108 flags = RB_SELECT_READ;
109 else
110 flags = RB_SELECT_WRITE;
111 rb_setselect(F, flags, callback, data);
112 return 0;
113 }
114 F->ssl_errno = ret;
115 return -1;
116 }
117 return 1; /* handshake is finished..go about life */
118}
119
120static void
121rb_ssl_tryaccept(rb_fde_t *F, void *data)
122{
123 int ret;
124 struct acceptdata *ad;
125
126 lrb_assert(F->accept != NULL);
127
128 ret = do_ssl_handshake(F, rb_ssl_tryaccept, NULL);
129
130 /* do_ssl_handshake does the rb_setselect */
131 if(ret == 0)
132 return;
133
134 ad = F->accept;
135 F->accept = NULL;
136 rb_settimeout(F, 0, NULL, NULL);
137 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
55abcbb2 138
2bd29df9
AB		 139 if(ret > 0)
140 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
141 else
142 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
143
144 rb_free(ad);
145}
146
147void
148rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
149{
150 gnutls_session_t *ssl;
151 new_F->type |= RB_FD_SSL;
152 ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
153 new_F->accept = rb_malloc(sizeof(struct acceptdata));
154
155 new_F->accept->callback = cb;
156 new_F->accept->data = data;
157 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
158
159 new_F->accept->addrlen = 0;
160
161 gnutls_init(ssl, GNUTLS_SERVER);
162 gnutls_set_default_priority(*ssl);
163 gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
164 gnutls_dh_set_prime_bits(*ssl, 1024);
165 gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
166 gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
c56f5979 167 gnutls_priority_set(*ssl, default_priority);
673ec98e 168
2bd29df9
AB		 169 if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL))
170 {
171 struct acceptdata *ad = new_F->accept;
172 new_F->accept = NULL;
173 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
174 rb_free(ad);
175 }
176
177}
178
179
180
181
182void
183rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
184{
185 new_F->type |= RB_FD_SSL;
186 new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
187 new_F->accept = rb_malloc(sizeof(struct acceptdata));
188
189 new_F->accept->callback = F->accept->callback;
190 new_F->accept->data = F->accept->data;
191 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
192 memcpy(&new_F->accept->S, st, addrlen);
193 new_F->accept->addrlen = addrlen;
194
195 gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
196 gnutls_set_default_priority(SSL_P(new_F));
197 gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
198 gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
199 gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
200 gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
673ec98e
AC		 201 gnutls_priority_set(SSL_P(F), default_priority);
202
2bd29df9
AB		 203 if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL))
204 {
205 struct acceptdata *ad = F->accept;
206 F->accept = NULL;
207 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
208 rb_free(ad);
209 }
210}
211
212
213
214
215static ssize_t
216rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
217{
218 ssize_t ret;
219 gnutls_session_t *ssl = F->ssl;
220
221 if(r_or_w == 0)
222 ret = gnutls_record_recv(*ssl, rbuf, count);
223 else
224 ret = gnutls_record_send(*ssl, wbuf, count);
225
226 if(ret < 0)
227 {
228 switch (ret)
229 {
230 case GNUTLS_E_AGAIN:
231 case GNUTLS_E_INTERRUPTED:
232 if(rb_ignore_errno(errno))
233 {
234 if(gnutls_record_get_direction(*ssl) == 0)
235 return RB_RW_SSL_NEED_READ;
236 else
237 return RB_RW_SSL_NEED_WRITE;
238 break;
239 }
240 default:
241 F->ssl_errno = ret;
242 errno = EIO;
243 return RB_RW_IO_ERROR;
244 }
245 }
246 return ret;
247}
248
249ssize_t
250rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
251{
252 return rb_ssl_read_or_write(0, F, buf, NULL, count);
253}
254
255ssize_t
256rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
257{
258 return rb_ssl_read_or_write(1, F, NULL, buf, count);
259}
260
c56f5979 261#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9
AB		 262static void
263rb_gcry_random_seed(void *unused)
264{
265 gcry_fast_random_poll();
266}
c56f5979 267#endif
2bd29df9
AB		 268
269int
270rb_init_ssl(void)
271{
272 gnutls_global_init();
273
274 if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
275 {
276 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
277 return 0;
278 }
279
f7036bbe 280#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 281 gnutls_certificate_client_set_retrieve_function(x509, cert_callback);
f7036bbe
AC		 282#else
283 gnutls_certificate_set_retrieve_function(x509, cert_callback);
284#endif
2bd29df9 285
c56f5979 286#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9 287 rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
c56f5979
VI		 288#endif
289
2bd29df9
AB		 290 return 1;
291}
292
293/* We only have one certificate to authenticate with, as both client and server. Unfortunately,
294 * GnuTLS tries to be clever, and as client, will attempt to use a certificate that the server
295 * will trust. We usually use self-signed certs, though, so the result of this search is always
296 * nothing. Therefore, it uses no certificate to authenticate as a client. This is undesirable
297 * as it breaks fingerprint auth. Thus, we use this callback to force GnuTLS to always
298 * authenticate with our certificate at all times.
299 */
f7036bbe 300#if GNUTLS_VERSION_MAJOR < 3
2bd29df9
AB		 301static int
302cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
303 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st)
f7036bbe
AC		 304#else
305static int
306cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
307 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st)
308#endif
2bd29df9
AB		 309{
310 /* XXX - ugly hack. Tell GnuTLS to use the first (only) certificate we have for auth. */
c56f5979 311#if (GNUTLS_VERSION_MAJOR < 3)
2bd29df9 312 st->type = GNUTLS_CRT_X509;
c56f5979
VI		 313#else
314 st->cert_type = GNUTLS_CRT_X509;
315 st->key_type = GNUTLS_PRIVKEY_X509;
316#endif
2bd29df9
AB		 317 st->ncerts = x509_cert_count;
318 st->cert.x509 = x509_cert;
319 st->key.x509 = x509_key;
c56f5979 320 st->deinit_all = 0;
2bd29df9
AB		 321
322 return 0;
323}
324
325static void
326rb_free_datum_t(gnutls_datum_t * d)
327{
328 rb_free(d->data);
329 rb_free(d);
330}
331
332static gnutls_datum_t *
333rb_load_file_into_datum_t(const char *file)
334{
335 FILE *f;
336 gnutls_datum_t *datum;
337 struct stat fileinfo;
31646e89 338 int count;
2bd29df9
AB		 339 if((f = fopen(file, "r")) == NULL)
340 return NULL;
341 if(fstat(fileno(f), &fileinfo))
342 return NULL;
343
344 datum = rb_malloc(sizeof(gnutls_datum_t));
345
346 if(fileinfo.st_size > 131072) /* deal with retards */
347 datum->size = 131072;
348 else
349 datum->size = fileinfo.st_size;
350
351 datum->data = rb_malloc(datum->size + 1);
31646e89 352 count = fread(datum->data, datum->size, 1, f);
2bd29df9 353 fclose(f);
31646e89
SA		 354
355 if(count != 1)
356 {
357 rb_free_datum_t(datum);
358 return NULL;
359 }
2bd29df9
AB		 360 return datum;
361}
362
363int
c1725bda 364rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
2bd29df9
AB		 365{
366 int ret;
673ec98e 367 const char *err;
2bd29df9
AB		 368 gnutls_datum_t *d_cert, *d_key;
369 if(cert == NULL)
370 {
371 rb_lib_log("rb_setup_ssl_server: No certificate file");
372 return 0;
373 }
374
375 if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
376 {
377 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
378 return 0;
379 }
380
381 if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
382 {
383 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
384 return 0;
385 }
386
387 /* In addition to creating the certificate set, we also need to store our cert elsewhere
388 * so we can force GnuTLS to identify with it when acting as a client.
389 */
390 gnutls_x509_privkey_init(&x509_key);
391 if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
392 {
393 rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret));
394 return 0;
395 }
396
397 x509_cert_count = MAX_CERTS;
398 if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
399 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0)
400 {
401 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret));
402 return 0;
403 }
404 x509_cert_count = ret;
405
406 if((ret =
407 gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
408 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
409 {
410 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
411 gnutls_strerror(ret));
412 return 0;
413 }
414
415 rb_free_datum_t(d_cert);
416 rb_free_datum_t(d_key);
417
418 if(dhfile != NULL)
419 {
420 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
421 {
422 gnutls_datum_t *data;
423 int xret;
424 data = rb_load_file_into_datum_t(dhfile);
425 if(data != NULL)
426 {
427 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
428 GNUTLS_X509_FMT_PEM);
429 if(xret < 0)
430 rb_lib_log
431 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
432 gnutls_strerror(xret));
433 rb_free_datum_t(data);
434 }
435 gnutls_certificate_set_dh_params(x509, dh_params);
436 }
437 else
438 rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
439 }
c1725bda 440
7233e364 441 ret = gnutls_priority_init(&default_priority, cipher_list, &err);
673ec98e
AC		 442 if (ret < 0)
443 {
444 rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err);
445 gnutls_priority_init(&default_priority, NULL, &err);
446 return 1;
447 }
448
2bd29df9
AB		 449 return 1;
450}
451
452int
453rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
454{
455 int result;
456
fab6f9e8 457 result = rb_listen(F, backlog, defer_accept);
2bd29df9
AB		 458 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
459
460 return result;
461}
462
463struct ssl_connect
464{
465 CNCB *callback;
466 void *data;
467 int timeout;
468};
469
470static void
471rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
472{
473 F->connect->callback = sconn->callback;
474 F->connect->data = sconn->data;
475 rb_free(sconn);
476 rb_connect_callback(F, status);
477}
478
479static void
480rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
481{
482 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
483}
484
485static void
486rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
487{
488 struct ssl_connect *sconn = data;
489 int ret;
490
491 ret = do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
492
493 switch (ret)
494 {
495 case -1:
496 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
497 break;
498 case 0:
499 /* do_ssl_handshake does the rb_setselect stuff */
500 return;
501 default:
502 break;
503
504
505 }
506 rb_ssl_connect_realcb(F, RB_OK, sconn);
507}
508
509static void
510rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
511{
512 struct ssl_connect *sconn = data;
513 if(status != RB_OK)
514 {
515 rb_ssl_connect_realcb(F, status, sconn);
516 return;
517 }
518
519 F->type |= RB_FD_SSL;
520
521
522 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
523 F->ssl = rb_malloc(sizeof(gnutls_session_t));
524 gnutls_init(F->ssl, GNUTLS_CLIENT);
525 gnutls_set_default_priority(SSL_P(F));
526 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
527 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
528 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
673ec98e 529 gnutls_priority_set(SSL_P(F), default_priority);
2bd29df9
AB		 530
531 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
532}
533
534void
535rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
5ad62c80 536 struct sockaddr *clocal, CNCB * callback, void *data, int timeout)
2bd29df9
AB		 537{
538 struct ssl_connect *sconn;
539 if(F == NULL)
540 return;
541
542 sconn = rb_malloc(sizeof(struct ssl_connect));
543 sconn->data = data;
544 sconn->callback = callback;
545 sconn->timeout = timeout;
5ad62c80 546 rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout);
2bd29df9
AB		 547
548}
549
550void
551rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
552{
553 struct ssl_connect *sconn;
554 if(F == NULL)
555 return;
556
557 sconn = rb_malloc(sizeof(struct ssl_connect));
558 sconn->data = data;
559 sconn->callback = callback;
560 sconn->timeout = timeout;
561 F->connect = rb_malloc(sizeof(struct conndata));
562 F->connect->callback = callback;
563 F->connect->data = data;
564 F->type |= RB_FD_SSL;
565 F->ssl = rb_malloc(sizeof(gnutls_session_t));
566
567 gnutls_init(F->ssl, GNUTLS_CLIENT);
568 gnutls_set_default_priority(SSL_P(F));
569 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
570 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
571 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
673ec98e 572 gnutls_priority_set(SSL_P(F), default_priority);
2bd29df9
AB		 573
574 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
575
576 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
577}
578
579int
580rb_init_prng(const char *path, prng_seed_t seed_type)
581{
7aa40f6d 582#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 583 gcry_fast_random_poll();
7aa40f6d 584#endif
2bd29df9
AB		 585 return 1;
586}
587
588int
589rb_get_random(void *buf, size_t length)
590{
7aa40f6d 591#if GNUTLS_VERSION_MAJOR < 3
2bd29df9 592 gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
7aa40f6d
AC		 593#else
594 gnutls_rnd(GNUTLS_RND_KEY, buf, length);
595#endif
2bd29df9
AB		 596 return 1;
597}
598
2bd29df9
AB		 599const char *
600rb_get_ssl_strerror(rb_fde_t *F)
601{
602 return gnutls_strerror(F->ssl_errno);
603}
604
e3760ba7 605static int
03469187 606make_certfp(gnutls_x509_crt_t cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
2bd29df9 607{
e6bbb410 608 gnutls_digest_algorithm_t algo;
2bd29df9
AB		 609 uint8_t digest[RB_SSL_CERTFP_LEN * 2];
610 size_t digest_size;
cf430c1a 611 bool spki = false;
e3760ba7 612 int len;
2bd29df9 613
e6bbb410
EM		 614 switch(method)
615 {
cf430c1a 616 case RB_SSL_CERTFP_METH_CERT_SHA1:
e6bbb410
EM		 617 algo = GNUTLS_DIG_SHA1;
618 len = RB_SSL_CERTFP_LEN_SHA1;
619 break;
cf430c1a
SA		 620 case RB_SSL_CERTFP_METH_SPKI_SHA256:
621 spki = true;
622 case RB_SSL_CERTFP_METH_CERT_SHA256:
e6bbb410
EM		 623 algo = GNUTLS_DIG_SHA256;
624 len = RB_SSL_CERTFP_LEN_SHA256;
625 break;
cf430c1a
SA		 626 case RB_SSL_CERTFP_METH_SPKI_SHA512:
627 spki = true;
628 case RB_SSL_CERTFP_METH_CERT_SHA512:
e6bbb410
EM		 629 algo = GNUTLS_DIG_SHA512;
630 len = RB_SSL_CERTFP_LEN_SHA512;
631 break;
632 default:
633 return 0;
634 }
635
cf430c1a 636 if (!spki)
2bd29df9 637 {
cf430c1a
SA		 638 if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
639 len = 0;
640 }
641 else
642 {
643 gnutls_pubkey_t pubkey;
644 unsigned char *der_pubkey = NULL;
645 size_t der_pubkey_len = 0;
646
647 if (gnutls_pubkey_init(&pubkey) == GNUTLS_E_SUCCESS)
648 {
649 if (gnutls_pubkey_import_x509(pubkey, cert, 0) == GNUTLS_E_SUCCESS)
650 {
651 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) == GNUTLS_E_SHORT_MEMORY_BUFFER)
652 {
653 der_pubkey = rb_malloc(der_pubkey_len);
654
655 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) != GNUTLS_E_SUCCESS)
656 {
657 rb_free(der_pubkey);
658 der_pubkey = NULL;
659 }
660 }
661 }
662
663 gnutls_pubkey_deinit(pubkey);
664 }
665
666 if (der_pubkey)
667 {
668 if (gnutls_hash_fast(algo, der_pubkey, der_pubkey_len, digest) != 0)
669 len = 0;
670
671 rb_free(der_pubkey);
672 }
673 else
674 {
675 len = 0;
676 }
2bd29df9
AB		 677 }
678
cf430c1a
SA		 679 if (len)
680 memcpy(certfp, digest, len);
03469187
SA		 681 return len;
682}
683
684int
685rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
686{
687 gnutls_x509_crt_t cert;
688 unsigned int cert_list_size;
689 const gnutls_datum_t *cert_list;
690 int len;
691
692 if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
693 return 0;
694
695 if (gnutls_x509_crt_init(&cert) < 0)
696 return 0;
697
698 cert_list_size = 0;
699 cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
700 if (cert_list == NULL)
701 {
702 gnutls_x509_crt_deinit(cert);
703 return 0;
704 }
705
706 if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
707 {
708 gnutls_x509_crt_deinit(cert);
709 return 0;
710 }
711
712 len = make_certfp(cert, certfp, method);
713 gnutls_x509_crt_deinit(cert);
714 return len;
715}
716
717int
718rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
719{
720 gnutls_x509_crt_t cert;
721 gnutls_datum_t *d_cert;
722 unsigned int len;
723
724 if ((d_cert = rb_load_file_into_datum_t(filename)) == NULL)
725 return -1;
726
727 if (gnutls_x509_crt_init(&cert) < 0)
728 return -1;
729
730 if (gnutls_x509_crt_import(cert, d_cert, GNUTLS_X509_FMT_PEM) != 0)
731 return -1;
2bd29df9 732
03469187 733 len = make_certfp(cert, certfp, method);
2bd29df9 734 gnutls_x509_crt_deinit(cert);
e6bbb410 735 return len;
2bd29df9
AB		 736}
737
738int
739rb_supports_ssl(void)
740{
741 return 1;
742}
743
744void
745rb_get_ssl_info(char *buf, size_t len)
746{
5203cba5 747 snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
2bd29df9
AB		 748 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
749}
55abcbb2 750
833b2f9c
AC		 751const char *
752rb_ssl_get_cipher(rb_fde_t *F)
753{
754 static char buf[1024];
755
5203cba5 756 snprintf(buf, sizeof(buf), "%s-%s-%s-%s",
833b2f9c
AC		 757 gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))),
758 gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))),
759 gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))),
760 gnutls_mac_get_name(gnutls_mac_get(SSL_P(F))));
761
762 return buf;
763}
55abcbb2 764
2bd29df9 765#endif /* HAVE_GNUTLS */
Fork of solanum ircd, history is rebased regularly