]>
Commit | Line | Data |
---|---|---|
db137867 | 1 | /* |
fe037171 | 2 | * librb: a library used by ircd-ratbox and other things |
db137867 AC |
3 | * openssl.c: openssl related code |
4 | * | |
5 | * Copyright (C) 2007-2008 ircd-ratbox development team | |
6 | * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
55abcbb2 | 17 | * |
db137867 AC |
18 | * You should have received a copy of the GNU General Public License |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | |
21 | * USA | |
22 | * | |
db137867 AC |
23 | */ |
24 | ||
fe037171 EM |
25 | #include <librb_config.h> |
26 | #include <rb_lib.h> | |
db137867 AC |
27 | |
28 | #ifdef HAVE_OPENSSL | |
29 | ||
30 | #include <commio-int.h> | |
31 | #include <commio-ssl.h> | |
32 | #include <openssl/ssl.h> | |
33 | #include <openssl/dh.h> | |
34 | #include <openssl/err.h> | |
d3806d05 | 35 | #include <openssl/evp.h> |
db137867 | 36 | #include <openssl/rand.h> |
3ae24413 AJ |
37 | #include <openssl/opensslv.h> |
38 | ||
39 | /* | |
40 | * This is a mess but what can you do when the library authors | |
41 | * refuse to play ball with established conventions? | |
42 | */ | |
43 | #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L) | |
44 | # define LRB_HAVE_TLS_METHOD_API 1 | |
45 | #else | |
46 | # if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) | |
47 | # define LRB_HAVE_TLS_METHOD_API 1 | |
48 | # endif | |
49 | #endif | |
db137867 AC |
50 | |
51 | static SSL_CTX *ssl_server_ctx; | |
52 | static SSL_CTX *ssl_client_ctx; | |
fe037171 | 53 | static int librb_index = -1; |
db137867 | 54 | |
3202e249 VY |
55 | static unsigned long |
56 | get_last_err(void) | |
db137867 AC |
57 | { |
58 | unsigned long t_err, err = 0; | |
59 | err = ERR_get_error(); | |
60 | if(err == 0) | |
61 | return 0; | |
3202e249 | 62 | |
db137867 AC |
63 | while((t_err = ERR_get_error()) > 0) |
64 | err = t_err; | |
65 | ||
66 | return err; | |
67 | } | |
68 | ||
69 | void | |
3202e249 | 70 | rb_ssl_shutdown(rb_fde_t *F) |
db137867 AC |
71 | { |
72 | int i; | |
73 | if(F == NULL || F->ssl == NULL) | |
74 | return; | |
75 | SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN); | |
76 | ||
3202e249 | 77 | for(i = 0; i < 4; i++) |
db137867 AC |
78 | { |
79 | if(SSL_shutdown((SSL *) F->ssl)) | |
80 | break; | |
81 | } | |
82 | get_last_err(); | |
83 | SSL_free((SSL *) F->ssl); | |
84 | } | |
85 | ||
c2ac22cc VY |
86 | unsigned int |
87 | rb_ssl_handshake_count(rb_fde_t *F) | |
88 | { | |
89 | return F->handshake_count; | |
90 | } | |
91 | ||
92 | void | |
93 | rb_ssl_clear_handshake_count(rb_fde_t *F) | |
94 | { | |
95 | F->handshake_count = 0; | |
96 | } | |
97 | ||
db137867 | 98 | static void |
3202e249 | 99 | rb_ssl_timeout(rb_fde_t *F, void *notused) |
db137867 | 100 | { |
73d6283c VY |
101 | lrb_assert(F->accept != NULL); |
102 | F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data); | |
db137867 AC |
103 | } |
104 | ||
105 | ||
3202e249 VY |
106 | static void |
107 | rb_ssl_info_callback(SSL * ssl, int where, int ret) | |
c2ac22cc VY |
108 | { |
109 | if(where & SSL_CB_HANDSHAKE_START) | |
110 | { | |
fe037171 | 111 | rb_fde_t *F = SSL_get_ex_data(ssl, librb_index); |
c2ac22cc VY |
112 | if(F == NULL) |
113 | return; | |
114 | F->handshake_count++; | |
3202e249 | 115 | } |
c2ac22cc VY |
116 | } |
117 | ||
118 | static void | |
119 | rb_setup_ssl_cb(rb_fde_t *F) | |
120 | { | |
fe037171 | 121 | SSL_set_ex_data(F->ssl, librb_index, (char *)F); |
3202e249 | 122 | SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback); |
c2ac22cc VY |
123 | } |
124 | ||
db137867 | 125 | static void |
3202e249 | 126 | rb_ssl_tryaccept(rb_fde_t *F, void *data) |
db137867 AC |
127 | { |
128 | int ssl_err; | |
129 | lrb_assert(F->accept != NULL); | |
73d6283c | 130 | int flags; |
2142f691 | 131 | struct acceptdata *ad; |
db137867 AC |
132 | |
133 | if(!SSL_is_init_finished((SSL *) F->ssl)) | |
134 | { | |
135 | if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0) | |
136 | { | |
137 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
138 | { | |
db137867 AC |
139 | case SSL_ERROR_WANT_READ: |
140 | case SSL_ERROR_WANT_WRITE: | |
73d6283c VY |
141 | if(ssl_err == SSL_ERROR_WANT_WRITE) |
142 | flags = RB_SELECT_WRITE; | |
143 | else | |
144 | flags = RB_SELECT_READ; | |
145 | F->ssl_errno = get_last_err(); | |
146 | rb_setselect(F, flags, rb_ssl_tryaccept, NULL); | |
147 | break; | |
148 | case SSL_ERROR_SYSCALL: | |
149 | F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data); | |
150 | break; | |
db137867 AC |
151 | default: |
152 | F->ssl_errno = get_last_err(); | |
153 | F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data); | |
154 | break; | |
155 | } | |
156 | return; | |
157 | } | |
158 | } | |
159 | rb_settimeout(F, 0, NULL, NULL); | |
160 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL); | |
3202e249 | 161 | |
2142f691 | 162 | ad = F->accept; |
db137867 | 163 | F->accept = NULL; |
3202e249 | 164 | ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data); |
2142f691 | 165 | rb_free(ad); |
db137867 AC |
166 | |
167 | } | |
168 | ||
c2ac22cc VY |
169 | |
170 | static void | |
171 | rb_ssl_accept_common(rb_fde_t *new_F) | |
db137867 AC |
172 | { |
173 | int ssl_err; | |
db137867 AC |
174 | if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0) |
175 | { | |
176 | switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err)) | |
177 | { | |
178 | case SSL_ERROR_SYSCALL: | |
179 | if(rb_ignore_errno(errno)) | |
180 | case SSL_ERROR_WANT_READ: | |
181 | case SSL_ERROR_WANT_WRITE: | |
182 | { | |
183 | new_F->ssl_errno = get_last_err(); | |
184 | rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE, | |
185 | rb_ssl_tryaccept, NULL); | |
186 | return; | |
187 | } | |
188 | default: | |
189 | new_F->ssl_errno = get_last_err(); | |
190 | new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data); | |
191 | return; | |
192 | } | |
193 | } | |
194 | else | |
195 | { | |
196 | rb_ssl_tryaccept(new_F, NULL); | |
197 | } | |
198 | } | |
199 | ||
c2ac22cc | 200 | void |
3202e249 | 201 | rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) |
c2ac22cc VY |
202 | { |
203 | new_F->type |= RB_FD_SSL; | |
204 | new_F->ssl = SSL_new(ssl_server_ctx); | |
205 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
206 | ||
207 | new_F->accept->callback = cb; | |
208 | new_F->accept->data = data; | |
209 | rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL); | |
210 | ||
211 | new_F->accept->addrlen = 0; | |
212 | SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F)); | |
213 | rb_setup_ssl_cb(new_F); | |
214 | rb_ssl_accept_common(new_F); | |
215 | } | |
216 | ||
db137867 AC |
217 | |
218 | ||
219 | ||
220 | void | |
3202e249 | 221 | rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen) |
db137867 | 222 | { |
db137867 AC |
223 | new_F->type |= RB_FD_SSL; |
224 | new_F->ssl = SSL_new(ssl_server_ctx); | |
225 | new_F->accept = rb_malloc(sizeof(struct acceptdata)); | |
226 | ||
227 | new_F->accept->callback = F->accept->callback; | |
228 | new_F->accept->data = F->accept->data; | |
229 | rb_settimeout(new_F, 10, rb_ssl_timeout, NULL); | |
230 | memcpy(&new_F->accept->S, st, addrlen); | |
231 | new_F->accept->addrlen = addrlen; | |
232 | ||
a9fb3ed0 | 233 | SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F)); |
c2ac22cc VY |
234 | rb_setup_ssl_cb(new_F); |
235 | rb_ssl_accept_common(new_F); | |
db137867 AC |
236 | } |
237 | ||
238 | static ssize_t | |
3202e249 | 239 | rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count) |
db137867 AC |
240 | { |
241 | ssize_t ret; | |
242 | unsigned long err; | |
243 | SSL *ssl = F->ssl; | |
244 | ||
245 | if(r_or_w == 0) | |
3202e249 | 246 | ret = (ssize_t) SSL_read(ssl, rbuf, (int)count); |
db137867 | 247 | else |
3202e249 | 248 | ret = (ssize_t) SSL_write(ssl, wbuf, (int)count); |
db137867 AC |
249 | |
250 | if(ret < 0) | |
251 | { | |
252 | switch (SSL_get_error(ssl, ret)) | |
253 | { | |
254 | case SSL_ERROR_WANT_READ: | |
255 | errno = EAGAIN; | |
256 | return RB_RW_SSL_NEED_READ; | |
257 | case SSL_ERROR_WANT_WRITE: | |
258 | errno = EAGAIN; | |
259 | return RB_RW_SSL_NEED_WRITE; | |
260 | case SSL_ERROR_ZERO_RETURN: | |
261 | return 0; | |
262 | case SSL_ERROR_SYSCALL: | |
263 | err = get_last_err(); | |
264 | if(err == 0) | |
265 | { | |
266 | F->ssl_errno = 0; | |
267 | return RB_RW_IO_ERROR; | |
268 | } | |
269 | break; | |
270 | default: | |
271 | err = get_last_err(); | |
272 | break; | |
273 | } | |
274 | F->ssl_errno = err; | |
275 | if(err > 0) | |
276 | { | |
277 | errno = EIO; /* not great but... */ | |
278 | return RB_RW_SSL_ERROR; | |
279 | } | |
280 | return RB_RW_IO_ERROR; | |
281 | } | |
282 | return ret; | |
283 | } | |
284 | ||
285 | ssize_t | |
3202e249 | 286 | rb_ssl_read(rb_fde_t *F, void *buf, size_t count) |
db137867 AC |
287 | { |
288 | return rb_ssl_read_or_write(0, F, buf, NULL, count); | |
289 | } | |
290 | ||
291 | ssize_t | |
3202e249 | 292 | rb_ssl_write(rb_fde_t *F, const void *buf, size_t count) |
db137867 AC |
293 | { |
294 | return rb_ssl_read_or_write(1, F, NULL, buf, count); | |
295 | } | |
296 | ||
7247337a JT |
297 | static int |
298 | verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) | |
299 | { | |
300 | return 1; | |
301 | } | |
302 | ||
918d73d5 JT |
303 | static const char * |
304 | get_ssl_error(unsigned long err) | |
305 | { | |
306 | static char buf[512]; | |
307 | ||
308 | ERR_error_string_n(err, buf, sizeof buf); | |
309 | return buf; | |
310 | } | |
311 | ||
db137867 AC |
312 | int |
313 | rb_init_ssl(void) | |
314 | { | |
315 | int ret = 1; | |
fe037171 EM |
316 | char librb_data[] = "librb data"; |
317 | const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL"; | |
db137867 AC |
318 | SSL_load_error_strings(); |
319 | SSL_library_init(); | |
fe037171 | 320 | librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL); |
a4c8c827 | 321 | |
3ae24413 | 322 | #ifndef LRB_HAVE_TLS_METHOD_API |
db137867 | 323 | ssl_server_ctx = SSL_CTX_new(SSLv23_server_method()); |
a4c8c827 AJ |
324 | #else |
325 | ssl_server_ctx = SSL_CTX_new(TLS_server_method()); | |
326 | #endif | |
327 | ||
db137867 AC |
328 | if(ssl_server_ctx == NULL) |
329 | { | |
330 | rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s", | |
918d73d5 | 331 | get_ssl_error(ERR_get_error())); |
db137867 AC |
332 | ret = 0; |
333 | } | |
a4c8c827 AJ |
334 | |
335 | long server_options = SSL_CTX_get_options(ssl_server_ctx); | |
336 | ||
3ae24413 | 337 | #ifndef LRB_HAVE_TLS_METHOD_API |
a4c8c827 AJ |
338 | server_options |= SSL_OP_NO_SSLv2; |
339 | server_options |= SSL_OP_NO_SSLv3; | |
340 | #endif | |
341 | ||
362ef2d9 | 342 | #ifdef SSL_OP_SINGLE_DH_USE |
a4c8c827 AJ |
343 | server_options |= SSL_OP_SINGLE_DH_USE; |
344 | #endif | |
345 | ||
346 | #ifdef SSL_OP_SINGLE_ECDH_USE | |
347 | server_options |= SSL_OP_SINGLE_ECDH_USE; | |
6b6a5799 | 348 | #endif |
a4c8c827 | 349 | |
6b6a5799 | 350 | #ifdef SSL_OP_NO_TICKET |
a4c8c827 | 351 | server_options |= SSL_OP_NO_TICKET; |
362ef2d9 | 352 | #endif |
a4c8c827 AJ |
353 | |
354 | server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; | |
355 | ||
356 | SSL_CTX_set_options(ssl_server_ctx, server_options); | |
7247337a | 357 | SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb); |
989652e7 | 358 | SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF); |
fe037171 | 359 | SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers); |
b6e799f5 | 360 | |
3a1f645b EM |
361 | /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available |
362 | * (it's not by default on Solaris or Red Hat... fuck Red Hat and Oracle) | |
363 | */ | |
364 | #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH) | |
9e26f000 KB |
365 | EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1); |
366 | if (key) { | |
367 | SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key); | |
368 | EC_KEY_free(key); | |
369 | } | |
31d22015 | 370 | #endif |
3202e249 | 371 | |
3ae24413 | 372 | #ifndef LRB_HAVE_TLS_METHOD_API |
25f7ee7d | 373 | ssl_client_ctx = SSL_CTX_new(SSLv23_client_method()); |
a4c8c827 | 374 | #else |
c86f11da | 375 | ssl_client_ctx = SSL_CTX_new(TLS_client_method()); |
a4c8c827 | 376 | #endif |
db137867 AC |
377 | |
378 | if(ssl_client_ctx == NULL) | |
379 | { | |
380 | rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s", | |
918d73d5 | 381 | get_ssl_error(ERR_get_error())); |
db137867 AC |
382 | ret = 0; |
383 | } | |
6b6a5799 | 384 | |
25f7ee7d AJ |
385 | #ifndef LRB_HAVE_TLS_METHOD_API |
386 | SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | |
387 | #endif | |
388 | ||
6b6a5799 AM |
389 | #ifdef SSL_OP_NO_TICKET |
390 | SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET); | |
391 | #endif | |
392 | ||
fe037171 | 393 | SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers); |
cb266283 | 394 | |
db137867 AC |
395 | return ret; |
396 | } | |
397 | ||
398 | ||
399 | int | |
c1725bda | 400 | rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list) |
db137867 | 401 | { |
db137867 AC |
402 | DH *dh; |
403 | unsigned long err; | |
404 | if(cert == NULL) | |
405 | { | |
406 | rb_lib_log("rb_setup_ssl_server: No certificate file"); | |
407 | return 0; | |
408 | } | |
07e14084 | 409 | if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert)) |
db137867 AC |
410 | { |
411 | err = ERR_get_error(); | |
412 | rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert, | |
918d73d5 | 413 | get_ssl_error(err)); |
db137867 AC |
414 | return 0; |
415 | } | |
416 | ||
417 | if(keyfile == NULL) | |
418 | { | |
419 | rb_lib_log("rb_setup_ssl_server: No key file"); | |
420 | return 0; | |
421 | } | |
422 | ||
423 | ||
07e14084 | 424 | if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM)) |
db137867 AC |
425 | { |
426 | err = ERR_get_error(); | |
427 | rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile, | |
918d73d5 | 428 | get_ssl_error(err)); |
db137867 AC |
429 | return 0; |
430 | } | |
431 | ||
432 | if(dhfile != NULL) | |
433 | { | |
434 | /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */ | |
3202e249 VY |
435 | BIO *bio = BIO_new_file(dhfile, "r"); |
436 | if(bio != NULL) | |
db137867 | 437 | { |
3202e249 | 438 | dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
db137867 AC |
439 | if(dh == NULL) |
440 | { | |
441 | err = ERR_get_error(); | |
442 | rb_lib_log | |
443 | ("rb_setup_ssl_server: Error loading DH params file [%s]: %s", | |
918d73d5 | 444 | dhfile, get_ssl_error(err)); |
3202e249 | 445 | BIO_free(bio); |
db137867 AC |
446 | return 0; |
447 | } | |
3202e249 | 448 | BIO_free(bio); |
db137867 | 449 | SSL_CTX_set_tmp_dh(ssl_server_ctx, dh); |
3202e249 VY |
450 | } |
451 | else | |
452 | { | |
453 | err = ERR_get_error(); | |
454 | rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s", | |
918d73d5 | 455 | dhfile, get_ssl_error(err)); |
db137867 AC |
456 | } |
457 | } | |
c1725bda AC |
458 | |
459 | if (cipher_list != NULL) | |
460 | { | |
461 | SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list); | |
462 | } | |
463 | ||
db137867 AC |
464 | return 1; |
465 | } | |
466 | ||
467 | int | |
aa4737a0 | 468 | rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept) |
db137867 | 469 | { |
aa4737a0 AC |
470 | int result; |
471 | ||
472 | result = rb_listen(F, backlog, defer_accept); | |
db137867 | 473 | F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL; |
aa4737a0 AC |
474 | |
475 | return result; | |
db137867 AC |
476 | } |
477 | ||
478 | struct ssl_connect | |
479 | { | |
480 | CNCB *callback; | |
481 | void *data; | |
482 | int timeout; | |
483 | }; | |
484 | ||
485 | static void | |
3202e249 | 486 | rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn) |
db137867 AC |
487 | { |
488 | F->connect->callback = sconn->callback; | |
489 | F->connect->data = sconn->data; | |
490 | rb_free(sconn); | |
491 | rb_connect_callback(F, status); | |
492 | } | |
493 | ||
494 | static void | |
3202e249 | 495 | rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data) |
db137867 AC |
496 | { |
497 | rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data); | |
498 | } | |
499 | ||
500 | static void | |
3202e249 | 501 | rb_ssl_tryconn_cb(rb_fde_t *F, void *data) |
db137867 AC |
502 | { |
503 | struct ssl_connect *sconn = data; | |
504 | int ssl_err; | |
505 | if(!SSL_is_init_finished((SSL *) F->ssl)) | |
506 | { | |
507 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
508 | { | |
509 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
510 | { | |
511 | case SSL_ERROR_SYSCALL: | |
512 | if(rb_ignore_errno(errno)) | |
513 | case SSL_ERROR_WANT_READ: | |
514 | case SSL_ERROR_WANT_WRITE: | |
515 | { | |
516 | F->ssl_errno = get_last_err(); | |
517 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
518 | rb_ssl_tryconn_cb, sconn); | |
519 | return; | |
520 | } | |
521 | default: | |
522 | F->ssl_errno = get_last_err(); | |
523 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
524 | return; | |
525 | } | |
526 | } | |
527 | else | |
528 | { | |
529 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
530 | } | |
531 | } | |
532 | } | |
533 | ||
534 | static void | |
3202e249 | 535 | rb_ssl_tryconn(rb_fde_t *F, int status, void *data) |
db137867 AC |
536 | { |
537 | struct ssl_connect *sconn = data; | |
538 | int ssl_err; | |
539 | if(status != RB_OK) | |
540 | { | |
541 | rb_ssl_connect_realcb(F, status, sconn); | |
542 | return; | |
543 | } | |
544 | ||
545 | F->type |= RB_FD_SSL; | |
546 | F->ssl = SSL_new(ssl_client_ctx); | |
547 | SSL_set_fd((SSL *) F->ssl, F->fd); | |
c2ac22cc | 548 | rb_setup_ssl_cb(F); |
db137867 AC |
549 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
550 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
551 | { | |
552 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
553 | { | |
554 | case SSL_ERROR_SYSCALL: | |
555 | if(rb_ignore_errno(errno)) | |
556 | case SSL_ERROR_WANT_READ: | |
557 | case SSL_ERROR_WANT_WRITE: | |
558 | { | |
559 | F->ssl_errno = get_last_err(); | |
560 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
561 | rb_ssl_tryconn_cb, sconn); | |
562 | return; | |
563 | } | |
564 | default: | |
565 | F->ssl_errno = get_last_err(); | |
566 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
567 | return; | |
568 | } | |
569 | } | |
570 | else | |
571 | { | |
572 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
573 | } | |
574 | } | |
575 | ||
576 | void | |
3202e249 | 577 | rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest, |
db137867 AC |
578 | struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout) |
579 | { | |
580 | struct ssl_connect *sconn; | |
581 | if(F == NULL) | |
582 | return; | |
583 | ||
584 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
585 | sconn->data = data; | |
586 | sconn->callback = callback; | |
587 | sconn->timeout = timeout; | |
588 | rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout); | |
589 | ||
590 | } | |
591 | ||
592 | void | |
3202e249 | 593 | rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout) |
db137867 AC |
594 | { |
595 | struct ssl_connect *sconn; | |
596 | int ssl_err; | |
597 | if(F == NULL) | |
598 | return; | |
599 | ||
600 | sconn = rb_malloc(sizeof(struct ssl_connect)); | |
601 | sconn->data = data; | |
602 | sconn->callback = callback; | |
603 | sconn->timeout = timeout; | |
604 | F->connect = rb_malloc(sizeof(struct conndata)); | |
605 | F->connect->callback = callback; | |
606 | F->connect->data = data; | |
607 | F->type |= RB_FD_SSL; | |
608 | F->ssl = SSL_new(ssl_client_ctx); | |
3202e249 | 609 | |
db137867 | 610 | SSL_set_fd((SSL *) F->ssl, F->fd); |
c2ac22cc | 611 | rb_setup_ssl_cb(F); |
db137867 AC |
612 | rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn); |
613 | if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0) | |
614 | { | |
615 | switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err)) | |
616 | { | |
617 | case SSL_ERROR_SYSCALL: | |
618 | if(rb_ignore_errno(errno)) | |
619 | case SSL_ERROR_WANT_READ: | |
620 | case SSL_ERROR_WANT_WRITE: | |
621 | { | |
622 | F->ssl_errno = get_last_err(); | |
623 | rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, | |
624 | rb_ssl_tryconn_cb, sconn); | |
625 | return; | |
626 | } | |
627 | default: | |
628 | F->ssl_errno = get_last_err(); | |
629 | rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn); | |
630 | return; | |
631 | } | |
632 | } | |
633 | else | |
634 | { | |
635 | rb_ssl_connect_realcb(F, RB_OK, sconn); | |
636 | } | |
637 | } | |
638 | ||
639 | int | |
640 | rb_init_prng(const char *path, prng_seed_t seed_type) | |
641 | { | |
642 | if(seed_type == RB_PRNG_DEFAULT) | |
643 | { | |
3202e249 | 644 | #ifdef _WIN32 |
db137867 AC |
645 | RAND_screen(); |
646 | #endif | |
647 | return RAND_status(); | |
648 | } | |
649 | if(path == NULL) | |
650 | return RAND_status(); | |
651 | ||
652 | switch (seed_type) | |
653 | { | |
db137867 AC |
654 | case RB_PRNG_FILE: |
655 | if(RAND_load_file(path, -1) == -1) | |
656 | return -1; | |
657 | break; | |
3202e249 | 658 | #ifdef _WIN32 |
db137867 AC |
659 | case RB_PRNGWIN32: |
660 | RAND_screen(); | |
661 | break; | |
662 | #endif | |
663 | default: | |
664 | return -1; | |
665 | } | |
666 | ||
667 | return RAND_status(); | |
668 | } | |
669 | ||
670 | int | |
671 | rb_get_random(void *buf, size_t length) | |
672 | { | |
a9fb3ed0 | 673 | int ret; |
3202e249 | 674 | |
a9fb3ed0 | 675 | if((ret = RAND_bytes(buf, length)) == 0) |
db137867 | 676 | { |
a9fb3ed0 | 677 | /* remove the error from the queue */ |
3202e249 | 678 | ERR_get_error(); |
db137867 | 679 | } |
a9fb3ed0 | 680 | return ret; |
db137867 AC |
681 | } |
682 | ||
db137867 | 683 | const char * |
3202e249 | 684 | rb_get_ssl_strerror(rb_fde_t *F) |
db137867 | 685 | { |
918d73d5 | 686 | return get_ssl_error(F->ssl_errno); |
db137867 AC |
687 | } |
688 | ||
7247337a | 689 | int |
e6bbb410 | 690 | rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method) |
7247337a JT |
691 | { |
692 | X509 *cert; | |
693 | int res; | |
694 | ||
695 | if (F->ssl == NULL) | |
696 | return 0; | |
697 | ||
698 | cert = SSL_get_peer_certificate((SSL *) F->ssl); | |
699 | if(cert != NULL) | |
700 | { | |
701 | res = SSL_get_verify_result((SSL *) F->ssl); | |
614502a6 AJ |
702 | if( |
703 | res == X509_V_OK || | |
704 | res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || | |
705 | res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || | |
706 | res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT || | |
707 | res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) | |
7247337a | 708 | { |
e6bbb410 EM |
709 | const EVP_MD *evp; |
710 | unsigned int len; | |
711 | ||
712 | switch(method) | |
713 | { | |
714 | case RB_SSL_CERTFP_METH_SHA1: | |
715 | evp = EVP_sha1(); | |
716 | len = RB_SSL_CERTFP_LEN_SHA1; | |
717 | break; | |
718 | case RB_SSL_CERTFP_METH_SHA256: | |
719 | evp = EVP_sha256(); | |
720 | len = RB_SSL_CERTFP_LEN_SHA256; | |
721 | break; | |
722 | case RB_SSL_CERTFP_METH_SHA512: | |
723 | evp = EVP_sha512(); | |
724 | len = RB_SSL_CERTFP_LEN_SHA512; | |
725 | break; | |
726 | default: | |
727 | return 0; | |
728 | } | |
729 | ||
730 | X509_digest(cert, evp, certfp, &len); | |
97b0e99e | 731 | X509_free(cert); |
e6bbb410 | 732 | return len; |
7247337a | 733 | } |
b2d64e51 | 734 | X509_free(cert); |
7247337a JT |
735 | } |
736 | ||
737 | return 0; | |
738 | } | |
739 | ||
db137867 AC |
740 | int |
741 | rb_supports_ssl(void) | |
742 | { | |
743 | return 1; | |
744 | } | |
745 | ||
030272f3 VY |
746 | void |
747 | rb_get_ssl_info(char *buf, size_t len) | |
748 | { | |
5203cba5 | 749 | snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx", |
e732a57b JT |
750 | SSLeay_version(SSLEAY_VERSION), |
751 | (long)OPENSSL_VERSION_NUMBER, SSLeay()); | |
030272f3 VY |
752 | } |
753 | ||
833b2f9c AC |
754 | const char * |
755 | rb_ssl_get_cipher(rb_fde_t *F) | |
756 | { | |
757 | const SSL_CIPHER *sslciph; | |
758 | ||
759 | if(F == NULL || F->ssl == NULL) | |
760 | return NULL; | |
761 | ||
762 | if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL) | |
763 | return NULL; | |
764 | ||
765 | return SSL_CIPHER_get_name(sslciph); | |
766 | } | |
030272f3 | 767 | |
db137867 | 768 | #endif /* HAVE_OPESSL */ |