]>
Commit | Line | Data |
---|---|---|
db137867 | 1 | /* |
fe037171 | 2 | * librb: a library used by ircd-ratbox and other things |
db137867 AC |
3 | * openssl.c: openssl related code |
4 | * | |
5 | * Copyright (C) 2007-2008 ircd-ratbox development team | |
6 | * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
55abcbb2 | 17 | * |
db137867 AC |
18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
21 | * USA | |
22 | * | |
db137867 AC |
23 | */ |
24 | ||
fe037171 EM |
25 | #include <librb_config.h> |
26 | #include <rb_lib.h> | |
db137867 AC |
27 | |
28 | #ifdef HAVE_OPENSSL | |
29 | ||
30 | #include <commio-int.h> | |
31 | #include <commio-ssl.h> | |
32 | #include <openssl/ssl.h> | |
33 | #include <openssl/dh.h> | |
34 | #include <openssl/err.h> | |
d3806d05 | 35 | #include <openssl/evp.h> |
db137867 | 36 | #include <openssl/rand.h> |
3ae24413 AJ |
37 | #include <openssl/opensslv.h> |
38 | ||
39 | /* | |
40 | * This is a mess but what can you do when the library authors | |
41 | * refuse to play ball with established conventions? | |
42 | */ | |
43 | #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L) | |
44 | # define LRB_HAVE_TLS_METHOD_API 1 | |
45 | #else | |
46 | # if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
47 | # define LRB_HAVE_TLS_METHOD_API 1 | |
48 | # endif | |
49 | #endif | |
db137867 | 50 | |
b1f05493 AJ |
51 | /* |
52 | * Use SSL_CTX_set_ecdh_auto() in OpenSSL 1.0.2 only | |
53 | * Use SSL_CTX_set1_curves_list() in OpenSSL 1.0.2 and above | |
54 | * TODO: Merge this into the block above if LibreSSL implements them | |
55 | */ | |
56 | #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002000L) | |
57 | # define LRB_HAVE_TLS_SET_CURVES 1 | |
58 | # if (OPENSSL_VERSION_NUMBER < 0x10100000L) | |
59 | # define LRB_HAVE_TLS_ECDH_AUTO 1 | |
60 | # endif | |
61 | #endif | |
62 | ||
db137867 AC |
63 | static SSL_CTX *ssl_server_ctx; |
64 | static SSL_CTX *ssl_client_ctx; | |
fe037171 | 65 | static int librb_index = -1; |
db137867 | 66 | |
3202e249 VY |
67 | static unsigned long |
68 | get_last_err(void) | |
db137867 AC |
69 | { |
70 | unsigned long t_err, err = 0; | |
71 | err = ERR_get_error(); | |
72 | if(err == 0) | |
73 | return 0; | |
3202e249 | 74 | |
db137867 AC |
75 | while((t_err = ERR_get_error()) > 0) |
76 | err = t_err; | |
77 | ||
78 | return err; | |
79 | } | |
80 | ||
81 | void | |
3202e249 | 82 | rb_ssl_shutdown(rb_fde_t *F) |
db137867 AC |
83 | { |
84 | int i; | |
85 | if(F == NULL || F->ssl == NULL) | |
86 | return; | |
87 | SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN); | |
88 | ||
3202e249 | 89 | for(i = 0; i < 4; i++) |
db137867 AC |
90 | { |
91 | if(SSL_shutdown((SSL *) F->ssl)) | |
92 | break; | |
93 | } | |
94 | get_last_err(); | |
95 | SSL_free((SSL *) F->ssl); | |
96 | } | |
97 | ||
c2ac22cc VY |
98 | unsigned int |
99 | rb_ssl_handshake_count(rb_fde_t *F) | |
100 | { | |
101 | return F->handshake_count; | |
102 | } | |
103 | ||
104 | void | |
105 | rb_ssl_clear_handshake_count(rb_fde_t *F) | |
106 | { | |
107 | F->handshake_count = 0; | |
108 | } | |
109 | ||
db137867 | 110 | static void |
3202e249 | 111 | rb_ssl_timeout(rb_fde_t *F, void *notused) |
db137867 | 112 | { |
73d6283c VY |
113 | lrb_assert(F->accept != NULL); |
114 | F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data); | |
db137867 AC |
115 | } |
116 | ||
117 | ||
3202e249 VY |
118 | static void |
119 | rb_ssl_info_callback(SSL * ssl, int where, int ret) | |
c2ac22cc VY |
120 | { |
121 | if(where & SSL_CB_HANDSHAKE_START) | |
122 | { | |
fe037171 | 123 | rb_fde_t *F = SSL_get_ex_data(ssl, librb_index); |
c2ac22cc VY |
124 | if(F == NULL) |
125 | return; | |
126 | F->handshake_count++; | |
3202e249 | 127 | } |
c2ac22cc VY |
128 | } |
129 | ||
130 | static void | |
131 | rb_setup_ssl_cb(rb_fde_t *F) | |
132 | { | |
fe037171 | 133 | SSL_set_ex_data(F->ssl, librb_index, (char *)F); |
3202e249 | 134 | SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback); |
c2ac22cc VY |
135 | } |
136 | ||
db137867 | 137 | static void |
3202e249 | 138 | rb_ssl_tryaccept(rb_fde_t *F, void *data) |
db137867 AC |
139 | { |
140 | int ssl_err; | |
141 | lrb_assert(F->accept != NULL); | |
73d6283c | 142 | int flags; |
2142f691 | 143 | struct acceptdata *ad; |
db137867 AC |
144 | |
145 | if(!SSL_is_init_finished((SSL *) F->ssl)) | |
146 | { | |
147 | if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0) | |
148 | { | |
149 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
150 | { | |
db137867 AC |
151 | case SSL_ERROR_WANT_READ: |
152 | case SSL_ERROR_WANT_WRITE: | |
73d6283c VY |
153 | if(ssl_err == SSL_ERROR_WANT_WRITE) |
154 | flags = RB_SELECT_WRITE; | |
155 | else | |
156 | flags = RB_SELECT_READ; | |
157 | F->ssl_errno = get_last_err(); | |
158 | rb_setselect(F, flags, rb_ssl_tryaccept, NULL); | |
159 | break; | |
160 | case SSL_ERROR_SYSCALL: | |
161 | F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data); | |
162 | break; | |
db137867 AC |
163 | default: |
164 | F->ssl_errno = get_last_err(); | |
165 | F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data); | |
166 | break; | |
167 | } | |
168 | return; | |
169 | } | |
170 | } | |
171 | rb_settimeout(F, 0, NULL, NULL); | |
172 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL); | |
3202e249 | 173 | |
2142f691 | 174 | ad = F->accept; |
db137867 | 175 | F->accept = NULL; |
3202e249 | 176 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
2142f691 | 177 | rb_free(ad); |
db137867 AC |
178 | |
179 | } | |
180 | ||
c2ac22cc VY |
181 | |
182 | static void | |
183 | rb_ssl_accept_common(rb_fde_t *new_F) | |
db137867 AC |
184 | { |
185 | int ssl_err; | |
db137867 AC |
186 | if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0) |
187 | { | |
188 | switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err)) | |
189 | { | |
190 | case SSL_ERROR_SYSCALL: | |
191 | if(rb_ignore_errno(errno)) | |
192 | case SSL_ERROR_WANT_READ: | |
193 | case SSL_ERROR_WANT_WRITE: | |
194 | { | |
195 | new_F->ssl_errno = get_last_err(); | |
196 | rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE, | |
197 | rb_ssl_tryaccept, NULL); | |
198 | return; | |
199 | } | |
200 | default: | |
201 | new_F->ssl_errno = get_last_err(); | |
202 | new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data); | |
203 | return; | |
204 | } | |
205 | } | |
206 | else | |
207 | { | |
208 | rb_ssl_tryaccept(new_F, NULL); | |
209 | } | |
210 | } | |
211 | ||
c2ac22cc | 212 | void |
3202e249 | 213 | rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) |
c2ac22cc VY |
214 | { |
215 | new_F->type |= RB_FD_SSL; | |
216 | new_F->ssl = SSL_new(ssl_server_ctx); | |
217 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
218 | ||
219 | new_F->accept->callback = cb; | |
220 | new_F->accept->data = data; | |
221 | rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); | |
222 | ||
223 | new_F->accept->addrlen = 0; | |
224 | SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F)); | |
225 | rb_setup_ssl_cb(new_F); | |
226 | rb_ssl_accept_common(new_F); | |
227 | } | |
228 | ||
db137867 AC |
229 | |
230 | ||
231 | ||
232 | void | |
3202e249 | 233 | rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) |
db137867 | 234 | { |
db137867 AC |
235 | new_F->type |= RB_FD_SSL; |
236 | new_F->ssl = SSL_new(ssl_server_ctx); | |
237 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
238 | ||
239 | new_F->accept->callback = F->accept->callback; | |
240 | new_F->accept->data = F->accept->data; | |
241 | rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); | |
242 | memcpy(&new_F->accept->S, st, addrlen); | |
243 | new_F->accept->addrlen = addrlen; | |
244 | ||
a9fb3ed0 | 245 | SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F)); |
c2ac22cc VY |
246 | rb_setup_ssl_cb(new_F); |
247 | rb_ssl_accept_common(new_F); | |
db137867 AC |
248 | } |
249 | ||
250 | static ssize_t | |
3202e249 | 251 | rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count) |
db137867 AC |
252 | { |
253 | ssize_t ret; | |
254 | unsigned long err; | |
255 | SSL *ssl = F->ssl; | |
256 | ||
257 | if(r_or_w == 0) | |
3202e249 | 258 | ret = (ssize_t) SSL_read(ssl, rbuf, (int)count); |
db137867 | 259 | else |
3202e249 | 260 | ret = (ssize_t) SSL_write(ssl, wbuf, (int)count); |
db137867 AC |
261 | |
262 | if(ret < 0) | |
263 | { | |
264 | switch (SSL_get_error(ssl, ret)) | |
265 | { | |
266 | case SSL_ERROR_WANT_READ: | |
267 | errno = EAGAIN; | |
268 | return RB_RW_SSL_NEED_READ; | |
269 | case SSL_ERROR_WANT_WRITE: | |
270 | errno = EAGAIN; | |
271 | return RB_RW_SSL_NEED_WRITE; | |
272 | case SSL_ERROR_ZERO_RETURN: | |
273 | return 0; | |
274 | case SSL_ERROR_SYSCALL: | |
275 | err = get_last_err(); | |
276 | if(err == 0) | |
277 | { | |
278 | F->ssl_errno = 0; | |
279 | return RB_RW_IO_ERROR; | |
280 | } | |
281 | break; | |
282 | default: | |
283 | err = get_last_err(); | |
284 | break; | |
285 | } | |
286 | F->ssl_errno = err; | |
287 | if(err > 0) | |
288 | { | |
289 | errno = EIO; /* not great but... */ | |
290 | return RB_RW_SSL_ERROR; | |
291 | } | |
292 | return RB_RW_IO_ERROR; | |
293 | } | |
294 | return ret; | |
295 | } | |
296 | ||
297 | ssize_t | |
3202e249 | 298 | rb_ssl_read(rb_fde_t *F, void *buf, size_t count) |
db137867 AC |
299 | { |
300 | return rb_ssl_read_or_write(0, F, buf, NULL, count); | |
301 | } | |
302 | ||
303 | ssize_t | |
3202e249 | 304 | rb_ssl_write(rb_fde_t *F, const void *buf, size_t count) |
db137867 AC |
305 | { |
306 | return rb_ssl_read_or_write(1, F, NULL, buf, count); | |
307 | } | |
308 | ||
7247337a JT |
309 | static int |
310 | verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) | |
311 | { | |
312 | return 1; | |
313 | } | |
314 | ||
918d73d5 JT |
315 | static const char * |
316 | get_ssl_error(unsigned long err) | |
317 | { | |
318 | static char buf[512]; | |
319 | ||
320 | ERR_error_string_n(err, buf, sizeof buf); | |
321 | return buf; | |
322 | } | |
323 | ||
db137867 AC |
324 | int |
325 | rb_init_ssl(void) | |
326 | { | |
327 | int ret = 1; | |
fe037171 EM |
328 | char librb_data[] = "librb data"; |
329 | const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL"; | |
b1f05493 AJ |
330 | #ifdef LRB_HAVE_TLS_SET_CURVES |
331 | const char librb_curves[] = "P-521:P-384:P-256"; | |
332 | #endif | |
db137867 AC |
333 | SSL_load_error_strings(); |
334 | SSL_library_init(); | |
fe037171 | 335 | librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL); |
a4c8c827 | 336 | |
3ae24413 | 337 | #ifndef LRB_HAVE_TLS_METHOD_API |
db137867 | 338 | ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); |
a4c8c827 AJ |
339 | #else |
340 | ssl_server_ctx = SSL_CTX_new(TLS_server_method()); | |
341 | #endif | |
342 | ||
db137867 AC |
343 | if(ssl_server_ctx == NULL) |
344 | { | |
345 | rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", | |
918d73d5 | 346 | get_ssl_error(ERR_get_error())); |
db137867 AC |
347 | ret = 0; |
348 | } | |
a4c8c827 AJ |
349 | |
350 | long server_options = SSL_CTX_get_options(ssl_server_ctx); | |
351 | ||
3ae24413 | 352 | #ifndef LRB_HAVE_TLS_METHOD_API |
a4c8c827 AJ |
353 | server_options |= SSL_OP_NO_SSLv2; |
354 | server_options |= SSL_OP_NO_SSLv3; | |
355 | #endif | |
356 | ||
362ef2d9 | 357 | #ifdef SSL_OP_SINGLE_DH_USE |
a4c8c827 AJ |
358 | server_options |= SSL_OP_SINGLE_DH_USE; |
359 | #endif | |
360 | ||
361 | #ifdef SSL_OP_SINGLE_ECDH_USE | |
362 | server_options |= SSL_OP_SINGLE_ECDH_USE; | |
6b6a5799 | 363 | #endif |
a4c8c827 | 364 | |
6b6a5799 | 365 | #ifdef SSL_OP_NO_TICKET |
a4c8c827 | 366 | server_options |= SSL_OP_NO_TICKET; |
362ef2d9 | 367 | #endif |
a4c8c827 AJ |
368 | |
369 | server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; | |
370 | ||
371 | SSL_CTX_set_options(ssl_server_ctx, server_options); | |
7247337a | 372 | SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); |
989652e7 | 373 | SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF); |
fe037171 | 374 | SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers); |
b6e799f5 | 375 | |
b1f05493 AJ |
376 | #ifdef LRB_HAVE_TLS_SET_CURVES |
377 | SSL_CTX_set1_curves_list(ssl_server_ctx, librb_curves); | |
378 | #endif | |
379 | ||
380 | #ifdef LRB_HAVE_TLS_ECDH_AUTO | |
381 | SSL_CTX_set_ecdh_auto(ssl_server_ctx, 1); | |
382 | #endif | |
383 | ||
384 | #if !defined(LRB_HAVE_TLS_SET_CURVES) && !defined(LRB_HAVE_TLS_ECDH_AUTO) | |
385 | /* Set ECDHE on OpenSSL 1.0.0 & 1.0.1, but make sure it's actually available | |
3a1f645b EM |
386 | * (it's not by default on Solaris or Red Hat... fuck Red Hat and Oracle) |
387 | */ | |
388 | #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH) | |
9e26f000 KB |
389 | EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); |
390 | if (key) { | |
391 | SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); | |
392 | EC_KEY_free(key); | |
393 | } | |
31d22015 | 394 | #endif |
b1f05493 | 395 | #endif |
3202e249 | 396 | |
3ae24413 | 397 | #ifndef LRB_HAVE_TLS_METHOD_API |
25f7ee7d | 398 | ssl_client_ctx = SSL_CTX_new(SSLv23_client_method()); |
a4c8c827 | 399 | #else |
c86f11da | 400 | ssl_client_ctx = SSL_CTX_new(TLS_client_method()); |
a4c8c827 | 401 | #endif |
db137867 AC |
402 | |
403 | if(ssl_client_ctx == NULL) | |
404 | { | |
405 | rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", | |
918d73d5 | 406 | get_ssl_error(ERR_get_error())); |
db137867 AC |
407 | ret = 0; |
408 | } | |
6b6a5799 | 409 | |
25f7ee7d AJ |
410 | #ifndef LRB_HAVE_TLS_METHOD_API |
411 | SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | |
412 | #endif | |
413 | ||
6b6a5799 AM |
414 | #ifdef SSL_OP_NO_TICKET |
415 | SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET); | |
416 | #endif | |
417 | ||
fe037171 | 418 | SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers); |
cb266283 | 419 | |
db137867 AC |
420 | return ret; |
421 | } | |
422 | ||
423 | ||
424 | int | |
c1725bda | 425 | rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list) |
db137867 | 426 | { |
db137867 AC |
427 | DH *dh; |
428 | unsigned long err; | |
429 | if(cert == NULL) | |
430 | { | |
431 | rb_lib_log("rb_setup_ssl_server: No certificate file"); | |
432 | return 0; | |
433 | } | |
07e14084 | 434 | if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert)) |
db137867 AC |
435 | { |
436 | err = ERR_get_error(); | |
437 | rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert, | |
918d73d5 | 438 | get_ssl_error(err)); |
db137867 AC |
439 | return 0; |
440 | } | |
441 | ||
442 | if(keyfile == NULL) | |
443 | { | |
444 | rb_lib_log("rb_setup_ssl_server: No key file"); | |
445 | return 0; | |
446 | } | |
447 | ||
448 | ||
07e14084 | 449 | if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM)) |
db137867 AC |
450 | { |
451 | err = ERR_get_error(); | |
452 | rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile, | |
918d73d5 | 453 | get_ssl_error(err)); |
db137867 AC |
454 | return 0; |
455 | } | |
456 | ||
457 | if(dhfile != NULL) | |
458 | { | |
459 | /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */ | |
3202e249 VY |
460 | BIO *bio = BIO_new_file(dhfile, "r"); |
461 | if(bio != NULL) | |
db137867 | 462 | { |
3202e249 | 463 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
db137867 AC |
464 | if(dh == NULL) |
465 | { | |
466 | err = ERR_get_error(); | |
467 | rb_lib_log | |
468 | ("rb_setup_ssl_server: Error loading DH params file [%s]: %s", | |
918d73d5 | 469 | dhfile, get_ssl_error(err)); |
3202e249 | 470 | BIO_free(bio); |
db137867 AC |
471 | return 0; |
472 | } | |
3202e249 | 473 | BIO_free(bio); |
db137867 | 474 | SSL_CTX_set_tmp_dh(ssl_server_ctx, dh); |
3202e249 VY |
475 | } |
476 | else | |
477 | { | |
478 | err = ERR_get_error(); | |
479 | rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s", | |
918d73d5 | 480 | dhfile, get_ssl_error(err)); |
db137867 AC |
481 | } |
482 | } | |
c1725bda AC |
483 | |
484 | if (cipher_list != NULL) | |
485 | { | |
486 | SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list); | |
487 | } | |
488 | ||
db137867 AC |
489 | return 1; |
490 | } | |
491 | ||
492 | int | |
aa4737a0 | 493 | rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept) |
db137867 | 494 | { |
aa4737a0 AC |
495 | int result; |
496 | ||
497 | result = rb_listen(F, backlog, defer_accept); | |
db137867 | 498 | F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; |
aa4737a0 AC |
499 | |
500 | return result; | |
db137867 AC |
501 | } |
502 | ||
503 | struct ssl_connect | |
504 | { | |
505 | CNCB *callback; | |
506 | void *data; | |
507 | int timeout; | |
508 | }; | |
509 | ||
510 | static void | |
3202e249 | 511 | rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn) |
db137867 AC |
512 | { |
513 | F->connect->callback = sconn->callback; | |
514 | F->connect->data = sconn->data; | |
515 | rb_free(sconn); | |
516 | rb_connect_callback(F, status); | |
517 | } | |
518 | ||
519 | static void | |
3202e249 | 520 | rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data) |
db137867 AC |
521 | { |
522 | rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data); | |
523 | } | |
524 | ||
525 | static void | |
3202e249 | 526 | rb_ssl_tryconn_cb(rb_fde_t *F, void *data) |
db137867 AC |
527 | { |
528 | struct ssl_connect *sconn = data; | |
529 | int ssl_err; | |
530 | if(!SSL_is_init_finished((SSL *) F->ssl)) | |
531 | { | |
532 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
533 | { | |
534 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
535 | { | |
536 | case SSL_ERROR_SYSCALL: | |
537 | if(rb_ignore_errno(errno)) | |
538 | case SSL_ERROR_WANT_READ: | |
539 | case SSL_ERROR_WANT_WRITE: | |
540 | { | |
541 | F->ssl_errno = get_last_err(); | |
542 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
543 | rb_ssl_tryconn_cb, sconn); | |
544 | return; | |
545 | } | |
546 | default: | |
547 | F->ssl_errno = get_last_err(); | |
548 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
549 | return; | |
550 | } | |
551 | } | |
552 | else | |
553 | { | |
554 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
555 | } | |
556 | } | |
557 | } | |
558 | ||
559 | static void | |
3202e249 | 560 | rb_ssl_tryconn(rb_fde_t *F, int status, void *data) |
db137867 AC |
561 | { |
562 | struct ssl_connect *sconn = data; | |
563 | int ssl_err; | |
564 | if(status != RB_OK) | |
565 | { | |
566 | rb_ssl_connect_realcb(F, status, sconn); | |
567 | return; | |
568 | } | |
569 | ||
570 | F->type |= RB_FD_SSL; | |
571 | F->ssl = SSL_new(ssl_client_ctx); | |
572 | SSL_set_fd((SSL *) F->ssl, F->fd); | |
c2ac22cc | 573 | rb_setup_ssl_cb(F); |
db137867 AC |
574 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
575 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
576 | { | |
577 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
578 | { | |
579 | case SSL_ERROR_SYSCALL: | |
580 | if(rb_ignore_errno(errno)) | |
581 | case SSL_ERROR_WANT_READ: | |
582 | case SSL_ERROR_WANT_WRITE: | |
583 | { | |
584 | F->ssl_errno = get_last_err(); | |
585 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
586 | rb_ssl_tryconn_cb, sconn); | |
587 | return; | |
588 | } | |
589 | default: | |
590 | F->ssl_errno = get_last_err(); | |
591 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
592 | return; | |
593 | } | |
594 | } | |
595 | else | |
596 | { | |
597 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
598 | } | |
599 | } | |
600 | ||
601 | void | |
3202e249 | 602 | rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest, |
5ad62c80 | 603 | struct sockaddr *clocal, CNCB * callback, void *data, int timeout) |
db137867 AC |
604 | { |
605 | struct ssl_connect *sconn; | |
606 | if(F == NULL) | |
607 | return; | |
608 | ||
609 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
610 | sconn->data = data; | |
611 | sconn->callback = callback; | |
612 | sconn->timeout = timeout; | |
5ad62c80 | 613 | rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout); |
db137867 AC |
614 | } |
615 | ||
616 | void | |
3202e249 | 617 | rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) |
db137867 AC |
618 | { |
619 | struct ssl_connect *sconn; | |
620 | int ssl_err; | |
621 | if(F == NULL) | |
622 | return; | |
623 | ||
624 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
625 | sconn->data = data; | |
626 | sconn->callback = callback; | |
627 | sconn->timeout = timeout; | |
628 | F->connect = rb_malloc(sizeof(struct conndata)); | |
629 | F->connect->callback = callback; | |
630 | F->connect->data = data; | |
631 | F->type |= RB_FD_SSL; | |
632 | F->ssl = SSL_new(ssl_client_ctx); | |
3202e249 | 633 | |
db137867 | 634 | SSL_set_fd((SSL *) F->ssl, F->fd); |
c2ac22cc | 635 | rb_setup_ssl_cb(F); |
db137867 AC |
636 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
637 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
638 | { | |
639 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
640 | { | |
641 | case SSL_ERROR_SYSCALL: | |
642 | if(rb_ignore_errno(errno)) | |
643 | case SSL_ERROR_WANT_READ: | |
644 | case SSL_ERROR_WANT_WRITE: | |
645 | { | |
646 | F->ssl_errno = get_last_err(); | |
647 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
648 | rb_ssl_tryconn_cb, sconn); | |
649 | return; | |
650 | } | |
651 | default: | |
652 | F->ssl_errno = get_last_err(); | |
653 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
654 | return; | |
655 | } | |
656 | } | |
657 | else | |
658 | { | |
659 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
660 | } | |
661 | } | |
662 | ||
663 | int | |
664 | rb_init_prng(const char *path, prng_seed_t seed_type) | |
665 | { | |
666 | if(seed_type == RB_PRNG_DEFAULT) | |
667 | { | |
3202e249 | 668 | #ifdef _WIN32 |
db137867 AC |
669 | RAND_screen(); |
670 | #endif | |
671 | return RAND_status(); | |
672 | } | |
673 | if(path == NULL) | |
674 | return RAND_status(); | |
675 | ||
676 | switch (seed_type) | |
677 | { | |
db137867 AC |
678 | case RB_PRNG_FILE: |
679 | if(RAND_load_file(path, -1) == -1) | |
680 | return -1; | |
681 | break; | |
3202e249 | 682 | #ifdef _WIN32 |
db137867 AC |
683 | case RB_PRNGWIN32: |
684 | RAND_screen(); | |
685 | break; | |
686 | #endif | |
687 | default: | |
688 | return -1; | |
689 | } | |
690 | ||
691 | return RAND_status(); | |
692 | } | |
693 | ||
694 | int | |
695 | rb_get_random(void *buf, size_t length) | |
696 | { | |
a9fb3ed0 | 697 | int ret; |
3202e249 | 698 | |
a9fb3ed0 | 699 | if((ret = RAND_bytes(buf, length)) == 0) |
db137867 | 700 | { |
a9fb3ed0 | 701 | /* remove the error from the queue */ |
3202e249 | 702 | ERR_get_error(); |
db137867 | 703 | } |
a9fb3ed0 | 704 | return ret; |
db137867 AC |
705 | } |
706 | ||
db137867 | 707 | const char * |
3202e249 | 708 | rb_get_ssl_strerror(rb_fde_t *F) |
db137867 | 709 | { |
918d73d5 | 710 | return get_ssl_error(F->ssl_errno); |
db137867 AC |
711 | } |
712 | ||
03469187 SA |
713 | static unsigned int |
714 | make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) | |
715 | { | |
716 | const ASN1_ITEM *it; | |
717 | const EVP_MD *evp; | |
718 | void *data; | |
719 | unsigned int len; | |
720 | ||
721 | switch(method) | |
722 | { | |
723 | case RB_SSL_CERTFP_METH_CERT_SHA1: | |
724 | it = ASN1_ITEM_rptr(X509); | |
725 | evp = EVP_sha1(); | |
726 | data = cert; | |
727 | len = RB_SSL_CERTFP_LEN_SHA1; | |
728 | break; | |
729 | case RB_SSL_CERTFP_METH_CERT_SHA256: | |
730 | it = ASN1_ITEM_rptr(X509); | |
731 | evp = EVP_sha256(); | |
732 | data = cert; | |
733 | len = RB_SSL_CERTFP_LEN_SHA256; | |
734 | break; | |
735 | case RB_SSL_CERTFP_METH_CERT_SHA512: | |
736 | it = ASN1_ITEM_rptr(X509); | |
737 | evp = EVP_sha512(); | |
738 | data = cert; | |
739 | len = RB_SSL_CERTFP_LEN_SHA512; | |
740 | break; | |
741 | case RB_SSL_CERTFP_METH_SPKI_SHA256: | |
742 | it = ASN1_ITEM_rptr(X509_PUBKEY); | |
743 | evp = EVP_sha256(); | |
744 | data = X509_get_X509_PUBKEY(cert); | |
745 | len = RB_SSL_CERTFP_LEN_SHA256; | |
746 | break; | |
747 | case RB_SSL_CERTFP_METH_SPKI_SHA512: | |
748 | it = ASN1_ITEM_rptr(X509_PUBKEY); | |
749 | evp = EVP_sha512(); | |
750 | data = X509_get_X509_PUBKEY(cert); | |
751 | len = RB_SSL_CERTFP_LEN_SHA512; | |
752 | break; | |
753 | default: | |
754 | return 0; | |
755 | } | |
756 | ||
757 | if (ASN1_item_digest(it, evp, data, certfp, &len) != 1) | |
758 | len = 0; | |
759 | return len; | |
760 | } | |
761 | ||
7247337a | 762 | int |
e6bbb410 | 763 | rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) |
7247337a JT |
764 | { |
765 | X509 *cert; | |
766 | int res; | |
767 | ||
768 | if (F->ssl == NULL) | |
769 | return 0; | |
770 | ||
771 | cert = SSL_get_peer_certificate((SSL *) F->ssl); | |
772 | if(cert != NULL) | |
773 | { | |
774 | res = SSL_get_verify_result((SSL *) F->ssl); | |
614502a6 AJ |
775 | if( |
776 | res == X509_V_OK || | |
777 | res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || | |
778 | res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || | |
779 | res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || | |
e1f16ce2 | 780 | res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || |
d6acb437 | 781 | res == X509_V_ERR_CERT_UNTRUSTED) |
7247337a | 782 | { |
03469187 | 783 | unsigned int len = make_certfp(cert, certfp, method); |
97b0e99e | 784 | X509_free(cert); |
e6bbb410 | 785 | return len; |
7247337a | 786 | } |
b2d64e51 | 787 | X509_free(cert); |
7247337a JT |
788 | } |
789 | ||
790 | return 0; | |
791 | } | |
792 | ||
03469187 SA |
793 | int |
794 | rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) | |
795 | { | |
796 | X509 *cert; | |
797 | FILE *f = fopen(filename, "r"); | |
798 | ||
799 | if (!f) | |
800 | return -1; | |
801 | ||
802 | cert = PEM_read_X509(f, NULL, NULL, NULL); | |
803 | fclose(f); | |
804 | ||
805 | if (cert) { | |
806 | unsigned int len = make_certfp(cert, certfp, method); | |
807 | X509_free(cert); | |
808 | return len; | |
809 | } | |
810 | return 0; | |
811 | } | |
812 | ||
db137867 AC |
813 | int |
814 | rb_supports_ssl(void) | |
815 | { | |
816 | return 1; | |
817 | } | |
818 | ||
030272f3 VY |
819 | void |
820 | rb_get_ssl_info(char *buf, size_t len) | |
821 | { | |
5203cba5 | 822 | snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", |
e732a57b JT |
823 | SSLeay_version(SSLEAY_VERSION), |
824 | (long)OPENSSL_VERSION_NUMBER, SSLeay()); | |
030272f3 VY |
825 | } |
826 | ||
833b2f9c AC |
827 | const char * |
828 | rb_ssl_get_cipher(rb_fde_t *F) | |
829 | { | |
830 | const SSL_CIPHER *sslciph; | |
831 | ||
832 | if(F == NULL || F->ssl == NULL) | |
833 | return NULL; | |
834 | ||
835 | if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL) | |
836 | return NULL; | |
837 | ||
838 | return SSL_CIPHER_get_name(sslciph); | |
839 | } | |
030272f3 | 840 | |
b1f05493 | 841 | #endif /* HAVE_OPENSSL */ |