]> jfr.im git - solanum.git/blame - librb/src/openssl.c
projects / solanum.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[openssl] More improvements to the backend
[solanum.git] / librb / src / openssl.c
CommitLineData
db137867 1/*
fe037171 2 * librb: a library used by ircd-ratbox and other things
db137867
AC		 3 * openssl.c: openssl related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
55abcbb2 17 *
db137867
AC		 18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
db137867
AC		 23 */
24
fe037171
EM		 25#include <librb_config.h>
26#include <rb_lib.h>
db137867
AC		 27
28#ifdef HAVE_OPENSSL
29
30#include <commio-int.h>
31#include <commio-ssl.h>
32#include <openssl/ssl.h>
33#include <openssl/dh.h>
34#include <openssl/err.h>
d3806d05 35#include <openssl/evp.h>
db137867 36#include <openssl/rand.h>
3ae24413
AJ		 37#include <openssl/opensslv.h>
38
39/*
40 * This is a mess but what can you do when the library authors
41 * refuse to play ball with established conventions?
42 */
43#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
44# define LRB_HAVE_TLS_METHOD_API 1
45#else
46# if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
47# define LRB_HAVE_TLS_METHOD_API 1
48# endif
49#endif
db137867 50
b1f05493
AJ		 51/*
52 * Use SSL_CTX_set_ecdh_auto() in OpenSSL 1.0.2 only
53 * Use SSL_CTX_set1_curves_list() in OpenSSL 1.0.2 and above
54 * TODO: Merge this into the block above if LibreSSL implements them
55 */
56#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L)
57# define LRB_HAVE_TLS_SET_CURVES 1
58# if (OPENSSL_VERSION_NUMBER < 0x10100000L)
59# define LRB_HAVE_TLS_ECDH_AUTO 1
60# endif
61#endif
62
cf12678b
AJ		 63static SSL_CTX *ssl_server_ctx = NULL;
64static SSL_CTX *ssl_client_ctx = NULL;
fe037171 65static int librb_index = -1;
db137867 66
3202e249
VY		 67static unsigned long
68get_last_err(void)
db137867
AC		 69{
70 unsigned long t_err, err = 0;
71 err = ERR_get_error();
72 if(err == 0)
73 return 0;
3202e249 74
db137867
AC		 75 while((t_err = ERR_get_error()) > 0)
76 err = t_err;
77
78 return err;
79}
80
81void
3202e249 82rb_ssl_shutdown(rb_fde_t *F)
db137867
AC		 83{
84 int i;
85 if(F == NULL || F->ssl == NULL)
86 return;
87 SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
88
3202e249 89 for(i = 0; i < 4; i++)
db137867
AC		 90 {
91 if(SSL_shutdown((SSL *) F->ssl))
92 break;
93 }
94 get_last_err();
95 SSL_free((SSL *) F->ssl);
96}
97
c2ac22cc
VY		 98unsigned int
99rb_ssl_handshake_count(rb_fde_t *F)
100{
101 return F->handshake_count;
102}
103
104void
105rb_ssl_clear_handshake_count(rb_fde_t *F)
106{
107 F->handshake_count = 0;
108}
109
db137867 110static void
3202e249 111rb_ssl_timeout(rb_fde_t *F, void *notused)
db137867 112{
73d6283c
VY		 113 lrb_assert(F->accept != NULL);
114 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
db137867
AC		 115}
116
117
3202e249
VY		 118static void
119rb_ssl_info_callback(SSL * ssl, int where, int ret)
c2ac22cc
VY		 120{
121 if(where & SSL_CB_HANDSHAKE_START)
122 {
fe037171 123 rb_fde_t *F = SSL_get_ex_data(ssl, librb_index);
c2ac22cc
VY		 124 if(F == NULL)
125 return;
126 F->handshake_count++;
3202e249 127 }
c2ac22cc
VY		 128}
129
130static void
131rb_setup_ssl_cb(rb_fde_t *F)
132{
fe037171 133 SSL_set_ex_data(F->ssl, librb_index, (char *)F);
3202e249 134 SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
c2ac22cc
VY		 135}
136
db137867 137static void
3202e249 138rb_ssl_tryaccept(rb_fde_t *F, void *data)
db137867
AC		 139{
140 int ssl_err;
141 lrb_assert(F->accept != NULL);
73d6283c 142 int flags;
2142f691 143 struct acceptdata *ad;
db137867
AC		 144
145 if(!SSL_is_init_finished((SSL *) F->ssl))
146 {
147 if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
148 {
149 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
150 {
db137867
AC		 151 case SSL_ERROR_WANT_READ:
152 case SSL_ERROR_WANT_WRITE:
73d6283c
VY		 153 if(ssl_err == SSL_ERROR_WANT_WRITE)
154 flags = RB_SELECT_WRITE;
155 else
156 flags = RB_SELECT_READ;
157 F->ssl_errno = get_last_err();
158 rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
159 break;
160 case SSL_ERROR_SYSCALL:
161 F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
162 break;
db137867
AC		 163 default:
164 F->ssl_errno = get_last_err();
165 F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
166 break;
167 }
168 return;
169 }
170 }
171 rb_settimeout(F, 0, NULL, NULL);
172 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
3202e249 173
2142f691 174 ad = F->accept;
db137867 175 F->accept = NULL;
3202e249 176 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
2142f691 177 rb_free(ad);
db137867
AC		 178
179}
180
c2ac22cc
VY		 181
182static void
183rb_ssl_accept_common(rb_fde_t *new_F)
db137867
AC		 184{
185 int ssl_err;
db137867
AC		 186 if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
187 {
188 switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
189 {
190 case SSL_ERROR_SYSCALL:
191 if(rb_ignore_errno(errno))
192 case SSL_ERROR_WANT_READ:
193 case SSL_ERROR_WANT_WRITE:
194 {
195 new_F->ssl_errno = get_last_err();
196 rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
197 rb_ssl_tryaccept, NULL);
198 return;
199 }
200 default:
201 new_F->ssl_errno = get_last_err();
202 new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
203 return;
204 }
205 }
206 else
207 {
208 rb_ssl_tryaccept(new_F, NULL);
209 }
210}
211
c2ac22cc 212void
3202e249 213rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
c2ac22cc
VY		 214{
215 new_F->type |= RB_FD_SSL;
216 new_F->ssl = SSL_new(ssl_server_ctx);
217 new_F->accept = rb_malloc(sizeof(struct acceptdata));
218
219 new_F->accept->callback = cb;
220 new_F->accept->data = data;
221 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
222
223 new_F->accept->addrlen = 0;
224 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
225 rb_setup_ssl_cb(new_F);
226 rb_ssl_accept_common(new_F);
227}
228
db137867
AC		 229
230
231
232void
3202e249 233rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
db137867 234{
db137867
AC		 235 new_F->type |= RB_FD_SSL;
236 new_F->ssl = SSL_new(ssl_server_ctx);
237 new_F->accept = rb_malloc(sizeof(struct acceptdata));
238
239 new_F->accept->callback = F->accept->callback;
240 new_F->accept->data = F->accept->data;
241 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
242 memcpy(&new_F->accept->S, st, addrlen);
243 new_F->accept->addrlen = addrlen;
244
a9fb3ed0 245 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
c2ac22cc
VY		 246 rb_setup_ssl_cb(new_F);
247 rb_ssl_accept_common(new_F);
db137867
AC		 248}
249
250static ssize_t
3202e249 251rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
db137867
AC		 252{
253 ssize_t ret;
254 unsigned long err;
255 SSL *ssl = F->ssl;
256
257 if(r_or_w == 0)
3202e249 258 ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
db137867 259 else
3202e249 260 ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
db137867
AC		 261
262 if(ret < 0)
263 {
264 switch (SSL_get_error(ssl, ret))
265 {
266 case SSL_ERROR_WANT_READ:
267 errno = EAGAIN;
268 return RB_RW_SSL_NEED_READ;
269 case SSL_ERROR_WANT_WRITE:
270 errno = EAGAIN;
271 return RB_RW_SSL_NEED_WRITE;
272 case SSL_ERROR_ZERO_RETURN:
273 return 0;
274 case SSL_ERROR_SYSCALL:
275 err = get_last_err();
276 if(err == 0)
277 {
278 F->ssl_errno = 0;
279 return RB_RW_IO_ERROR;
280 }
281 break;
282 default:
283 err = get_last_err();
284 break;
285 }
286 F->ssl_errno = err;
287 if(err > 0)
288 {
289 errno = EIO; /* not great but... */
290 return RB_RW_SSL_ERROR;
291 }
292 return RB_RW_IO_ERROR;
293 }
294 return ret;
295}
296
297ssize_t
3202e249 298rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
db137867
AC		 299{
300 return rb_ssl_read_or_write(0, F, buf, NULL, count);
301}
302
303ssize_t
3202e249 304rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
db137867
AC		 305{
306 return rb_ssl_read_or_write(1, F, NULL, buf, count);
307}
308
7247337a
JT		 309static int
310verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
311{
312 return 1;
313}
314
918d73d5
JT		 315static const char *
316get_ssl_error(unsigned long err)
317{
318 static char buf[512];
319
320 ERR_error_string_n(err, buf, sizeof buf);
321 return buf;
322}
323
db137867
AC		 324int
325rb_init_ssl(void)
326{
fe037171 327 char librb_data[] = "librb data";
cf12678b
AJ		 328
329#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
330 /*
331 * OpenSSL 1.1.0 and above automatically initialises itself with sane defaults
332 */
db137867 333 SSL_library_init();
cf12678b
AJ		 334 SSL_load_error_strings();
335#endif
336
fe037171 337 librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL);
a4c8c827 338
cf12678b
AJ		 339 return 1;
340}
341
342int
343rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
344{
345 const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!aNULL";
346
347 #ifdef LRB_HAVE_TLS_SET_CURVES
348 const char librb_curves[] = "P-521:P-384:P-256";
349 #endif
350
351 if(cert == NULL)
352 {
353 rb_lib_log("rb_setup_ssl_server: No certificate file");
354 return 0;
355 }
356
357 if(keyfile == NULL)
358 {
359 rb_lib_log("rb_setup_ssl_server: No key file");
360 return 0;
361 }
362
363 if (ssl_server_ctx)
364 SSL_CTX_free(ssl_server_ctx);
365
366 if (ssl_client_ctx)
367 SSL_CTX_free(ssl_client_ctx);
368
369 #ifdef LRB_HAVE_TLS_METHOD_API
a4c8c827 370 ssl_server_ctx = SSL_CTX_new(TLS_server_method());
cf12678b
AJ		 371 #else
372 ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
373 #endif
a4c8c827 374
db137867
AC		 375 if(ssl_server_ctx == NULL)
376 {
377 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
918d73d5 378 get_ssl_error(ERR_get_error()));
db137867 379 }
cf12678b
AJ		 380 else
381 {
a4c8c827 382
cf12678b 383 long server_options = 0;
a4c8c827 384
cf12678b
AJ		 385 #ifndef LRB_HAVE_TLS_METHOD_API
386 server_options |= SSL_OP_NO_SSLv2;
387 server_options |= SSL_OP_NO_SSLv3;
388 #endif
a4c8c827 389
cf12678b
AJ		 390 #ifdef SSL_OP_SINGLE_DH_USE
391 server_options |= SSL_OP_SINGLE_DH_USE;
392 #endif
a4c8c827 393
cf12678b
AJ		 394 #ifdef SSL_OP_SINGLE_ECDH_USE
395 server_options |= SSL_OP_SINGLE_ECDH_USE;
396 #endif
a4c8c827 397
cf12678b
AJ		 398 #ifdef SSL_OP_NO_TICKET
399 server_options |= SSL_OP_NO_TICKET;
400 #endif
a4c8c827 401
cf12678b
AJ		 402 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
403 server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
404 #endif
a4c8c827 405
cf12678b 406 SSL_CTX_set_options(ssl_server_ctx, server_options);
b6e799f5 407
cf12678b
AJ		 408 SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
409 SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
b1f05493 410
cf12678b
AJ		 411 #ifdef LRB_HAVE_TLS_SET_CURVES
412 SSL_CTX_set1_curves_list(ssl_server_ctx, librb_curves);
413 #endif
b1f05493 414
cf12678b
AJ		 415 #ifdef LRB_HAVE_TLS_ECDH_AUTO
416 SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1);
417 #endif
418
419 /*
420 * Set manual ECDHE curve on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available
421 */
422 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(OPENSSL_NO_ECDH)
9e26f000
KB		 423 EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
424 if (key) {
425 SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
426 EC_KEY_free(key);
427 }
cf12678b
AJ		 428 #endif
429 }
3202e249 430
cf12678b 431 #ifdef LRB_HAVE_TLS_METHOD_API
c86f11da 432 ssl_client_ctx = SSL_CTX_new(TLS_client_method());
cf12678b
AJ		 433 #else
434 ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
435 #endif
db137867
AC		 436
437 if(ssl_client_ctx == NULL)
438 {
439 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
918d73d5 440 get_ssl_error(ERR_get_error()));
db137867 441 }
cf12678b
AJ		 442 else
443 {
6b6a5799 444
cf12678b
AJ		 445 #ifndef LRB_HAVE_TLS_METHOD_API
446 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
447 #endif
6b6a5799 448
cf12678b
AJ		 449 #ifdef SSL_OP_NO_TICKET
450 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
451 #endif
452 }
cb266283 453
cf12678b
AJ		 454 if(cipher_list == NULL)
455 cipher_list = librb_ciphers;
db137867 456
cf12678b
AJ		 457 SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
458 SSL_CTX_set_cipher_list(ssl_client_ctx, cipher_list);
db137867 459
07e14084 460 if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
db137867 461 {
db137867 462 rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
cf12678b 463 get_ssl_error(ERR_get_error()));
db137867
AC		 464 return 0;
465 }
466
07e14084 467 if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
db137867 468 {
db137867 469 rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
cf12678b 470 get_ssl_error(ERR_get_error()));
db137867
AC		 471 return 0;
472 }
473
474 if(dhfile != NULL)
475 {
476 /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
3202e249
VY		 477 BIO *bio = BIO_new_file(dhfile, "r");
478 if(bio != NULL)
db137867 479 {
cf12678b 480 DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
db137867
AC		 481 if(dh == NULL)
482 {
db137867
AC		 483 rb_lib_log
484 ("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
cf12678b 485 dhfile, get_ssl_error(ERR_get_error()));
3202e249 486 BIO_free(bio);
db137867
AC		 487 return 0;
488 }
3202e249 489 BIO_free(bio);
db137867 490 SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
cf12678b 491 DH_free(dh);
3202e249
VY		 492 }
493 else
494 {
3202e249 495 rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
cf12678b 496 dhfile, get_ssl_error(ERR_get_error()));
db137867
AC		 497 }
498 }
c1725bda 499
db137867
AC		 500 return 1;
501}
502
503int
aa4737a0 504rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
db137867 505{
aa4737a0
AC		 506 int result;
507
508 result = rb_listen(F, backlog, defer_accept);
db137867 509 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
aa4737a0
AC		 510
511 return result;
db137867
AC		 512}
513
514struct ssl_connect
515{
516 CNCB *callback;
517 void *data;
518 int timeout;
519};
520
521static void
3202e249 522rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
db137867
AC		 523{
524 F->connect->callback = sconn->callback;
525 F->connect->data = sconn->data;
526 rb_free(sconn);
527 rb_connect_callback(F, status);
528}
529
530static void
3202e249 531rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
db137867
AC		 532{
533 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
534}
535
536static void
3202e249 537rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
db137867
AC		 538{
539 struct ssl_connect *sconn = data;
540 int ssl_err;
541 if(!SSL_is_init_finished((SSL *) F->ssl))
542 {
543 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
544 {
545 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
546 {
547 case SSL_ERROR_SYSCALL:
548 if(rb_ignore_errno(errno))
549 case SSL_ERROR_WANT_READ:
550 case SSL_ERROR_WANT_WRITE:
551 {
552 F->ssl_errno = get_last_err();
553 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
554 rb_ssl_tryconn_cb, sconn);
555 return;
556 }
557 default:
558 F->ssl_errno = get_last_err();
559 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
560 return;
561 }
562 }
563 else
564 {
565 rb_ssl_connect_realcb(F, RB_OK, sconn);
566 }
567 }
568}
569
570static void
3202e249 571rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
db137867
AC		 572{
573 struct ssl_connect *sconn = data;
574 int ssl_err;
575 if(status != RB_OK)
576 {
577 rb_ssl_connect_realcb(F, status, sconn);
578 return;
579 }
580
581 F->type |= RB_FD_SSL;
582 F->ssl = SSL_new(ssl_client_ctx);
583 SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc 584 rb_setup_ssl_cb(F);
db137867
AC		 585 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
586 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
587 {
588 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
589 {
590 case SSL_ERROR_SYSCALL:
591 if(rb_ignore_errno(errno))
592 case SSL_ERROR_WANT_READ:
593 case SSL_ERROR_WANT_WRITE:
594 {
595 F->ssl_errno = get_last_err();
596 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
597 rb_ssl_tryconn_cb, sconn);
598 return;
599 }
600 default:
601 F->ssl_errno = get_last_err();
602 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
603 return;
604 }
605 }
606 else
607 {
608 rb_ssl_connect_realcb(F, RB_OK, sconn);
609 }
610}
611
612void
3202e249 613rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
5ad62c80 614 struct sockaddr *clocal, CNCB * callback, void *data, int timeout)
db137867
AC		 615{
616 struct ssl_connect *sconn;
617 if(F == NULL)
618 return;
619
620 sconn = rb_malloc(sizeof(struct ssl_connect));
621 sconn->data = data;
622 sconn->callback = callback;
623 sconn->timeout = timeout;
5ad62c80 624 rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout);
db137867
AC		 625}
626
627void
3202e249 628rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
db137867
AC		 629{
630 struct ssl_connect *sconn;
631 int ssl_err;
632 if(F == NULL)
633 return;
634
635 sconn = rb_malloc(sizeof(struct ssl_connect));
636 sconn->data = data;
637 sconn->callback = callback;
638 sconn->timeout = timeout;
639 F->connect = rb_malloc(sizeof(struct conndata));
640 F->connect->callback = callback;
641 F->connect->data = data;
642 F->type |= RB_FD_SSL;
643 F->ssl = SSL_new(ssl_client_ctx);
3202e249 644
db137867 645 SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc 646 rb_setup_ssl_cb(F);
db137867
AC		 647 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
648 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
649 {
650 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
651 {
652 case SSL_ERROR_SYSCALL:
653 if(rb_ignore_errno(errno))
654 case SSL_ERROR_WANT_READ:
655 case SSL_ERROR_WANT_WRITE:
656 {
657 F->ssl_errno = get_last_err();
658 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
659 rb_ssl_tryconn_cb, sconn);
660 return;
661 }
662 default:
663 F->ssl_errno = get_last_err();
664 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
665 return;
666 }
667 }
668 else
669 {
670 rb_ssl_connect_realcb(F, RB_OK, sconn);
671 }
672}
673
674int
675rb_init_prng(const char *path, prng_seed_t seed_type)
676{
677 if(seed_type == RB_PRNG_DEFAULT)
678 {
3202e249 679#ifdef _WIN32
db137867
AC		 680 RAND_screen();
681#endif
682 return RAND_status();
683 }
684 if(path == NULL)
685 return RAND_status();
686
687 switch (seed_type)
688 {
db137867
AC		 689 case RB_PRNG_FILE:
690 if(RAND_load_file(path, -1) == -1)
691 return -1;
692 break;
3202e249 693#ifdef _WIN32
db137867
AC		 694 case RB_PRNGWIN32:
695 RAND_screen();
696 break;
697#endif
698 default:
699 return -1;
700 }
701
702 return RAND_status();
703}
704
705int
706rb_get_random(void *buf, size_t length)
707{
a9fb3ed0 708 int ret;
3202e249 709
a9fb3ed0 710 if((ret = RAND_bytes(buf, length)) == 0)
db137867 711 {
a9fb3ed0 712 /* remove the error from the queue */
3202e249 713 ERR_get_error();
db137867 714 }
a9fb3ed0 715 return ret;
db137867
AC		 716}
717
db137867 718const char *
3202e249 719rb_get_ssl_strerror(rb_fde_t *F)
db137867 720{
918d73d5 721 return get_ssl_error(F->ssl_errno);
db137867
AC		 722}
723
e3760ba7 724static int
03469187
SA		 725make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
726{
727 const ASN1_ITEM *it;
728 const EVP_MD *evp;
729 void *data;
b28c26d9 730 unsigned int len;
03469187
SA		 731
732 switch(method)
733 {
734 case RB_SSL_CERTFP_METH_CERT_SHA1:
735 it = ASN1_ITEM_rptr(X509);
736 evp = EVP_sha1();
737 data = cert;
738 len = RB_SSL_CERTFP_LEN_SHA1;
739 break;
740 case RB_SSL_CERTFP_METH_CERT_SHA256:
741 it = ASN1_ITEM_rptr(X509);
742 evp = EVP_sha256();
743 data = cert;
744 len = RB_SSL_CERTFP_LEN_SHA256;
745 break;
746 case RB_SSL_CERTFP_METH_CERT_SHA512:
747 it = ASN1_ITEM_rptr(X509);
748 evp = EVP_sha512();
749 data = cert;
750 len = RB_SSL_CERTFP_LEN_SHA512;
751 break;
752 case RB_SSL_CERTFP_METH_SPKI_SHA256:
753 it = ASN1_ITEM_rptr(X509_PUBKEY);
754 evp = EVP_sha256();
755 data = X509_get_X509_PUBKEY(cert);
756 len = RB_SSL_CERTFP_LEN_SHA256;
757 break;
758 case RB_SSL_CERTFP_METH_SPKI_SHA512:
759 it = ASN1_ITEM_rptr(X509_PUBKEY);
760 evp = EVP_sha512();
761 data = X509_get_X509_PUBKEY(cert);
762 len = RB_SSL_CERTFP_LEN_SHA512;
763 break;
764 default:
765 return 0;
766 }
767
768 if (ASN1_item_digest(it, evp, data, certfp, &len) != 1)
769 len = 0;
b28c26d9 770 return (int) len;
03469187
SA		 771}
772
7247337a 773int
e6bbb410 774rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
7247337a 775{
e3760ba7 776 int len = 0;
7247337a
JT		 777 X509 *cert;
778 int res;
779
780 if (F->ssl == NULL)
781 return 0;
782
783 cert = SSL_get_peer_certificate((SSL *) F->ssl);
e3760ba7
AJ		 784 if(cert == NULL)
785 return 0;
786
787 res = SSL_get_verify_result((SSL *) F->ssl);
788 switch(res)
7247337a 789 {
e3760ba7
AJ		 790 case X509_V_OK:
791 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
792 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
793 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
794 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
795 case X509_V_ERR_CERT_UNTRUSTED:
796 len = make_certfp(cert, certfp, method);
797
798 default: /* to silence code inspectors */
799 break;
7247337a
JT		 800 }
801
e3760ba7
AJ		 802 X509_free(cert);
803 return len;
7247337a
JT		 804}
805
03469187
SA		 806int
807rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
808{
809 X509 *cert;
810 FILE *f = fopen(filename, "r");
811
812 if (!f)
813 return -1;
814
815 cert = PEM_read_X509(f, NULL, NULL, NULL);
816 fclose(f);
817
818 if (cert) {
819 unsigned int len = make_certfp(cert, certfp, method);
820 X509_free(cert);
821 return len;
822 }
823 return 0;
824}
825
db137867
AC		 826int
827rb_supports_ssl(void)
828{
829 return 1;
830}
831
030272f3
VY		 832void
833rb_get_ssl_info(char *buf, size_t len)
834{
5203cba5 835 snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
e732a57b
JT		 836 SSLeay_version(SSLEAY_VERSION),
837 (long)OPENSSL_VERSION_NUMBER, SSLeay());
030272f3
VY		 838}
839
833b2f9c
AC		 840const char *
841rb_ssl_get_cipher(rb_fde_t *F)
842{
843 const SSL_CIPHER *sslciph;
844
845 if(F == NULL || F->ssl == NULL)
846 return NULL;
847
848 if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
849 return NULL;
850
851 return SSL_CIPHER_get_name(sslciph);
852}
030272f3 853
b1f05493 854#endif /* HAVE_OPENSSL */
Fork of solanum ircd, history is rebased regularly