]> jfr.im git - solanum.git/blame - librb/src/openssl.c
projects / solanum.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
mkfingerprint: use certfp method names from certfp.h
[solanum.git] / librb / src / openssl.c
CommitLineData
db137867 1/*
fe037171 2 * librb: a library used by ircd-ratbox and other things
db137867
AC		 3 * openssl.c: openssl related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
55abcbb2 17 *
db137867
AC		 18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
db137867
AC		 23 */
24
fe037171
EM		 25#include <librb_config.h>
26#include <rb_lib.h>
db137867
AC		 27
28#ifdef HAVE_OPENSSL
29
30#include <commio-int.h>
31#include <commio-ssl.h>
32#include <openssl/ssl.h>
33#include <openssl/dh.h>
34#include <openssl/err.h>
d3806d05 35#include <openssl/evp.h>
db137867 36#include <openssl/rand.h>
3ae24413
AJ		 37#include <openssl/opensslv.h>
38
39/*
40 * This is a mess but what can you do when the library authors
41 * refuse to play ball with established conventions?
42 */
43#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
44# define LRB_HAVE_TLS_METHOD_API 1
45#else
46# if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
47# define LRB_HAVE_TLS_METHOD_API 1
48# endif
49#endif
db137867
AC		 50
51static SSL_CTX *ssl_server_ctx;
52static SSL_CTX *ssl_client_ctx;
fe037171 53static int librb_index = -1;
db137867 54
3202e249
VY		 55static unsigned long
56get_last_err(void)
db137867
AC		 57{
58 unsigned long t_err, err = 0;
59 err = ERR_get_error();
60 if(err == 0)
61 return 0;
3202e249 62
db137867
AC		 63 while((t_err = ERR_get_error()) > 0)
64 err = t_err;
65
66 return err;
67}
68
69void
3202e249 70rb_ssl_shutdown(rb_fde_t *F)
db137867
AC		 71{
72 int i;
73 if(F == NULL || F->ssl == NULL)
74 return;
75 SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
76
3202e249 77 for(i = 0; i < 4; i++)
db137867
AC		 78 {
79 if(SSL_shutdown((SSL *) F->ssl))
80 break;
81 }
82 get_last_err();
83 SSL_free((SSL *) F->ssl);
84}
85
c2ac22cc
VY		 86unsigned int
87rb_ssl_handshake_count(rb_fde_t *F)
88{
89 return F->handshake_count;
90}
91
92void
93rb_ssl_clear_handshake_count(rb_fde_t *F)
94{
95 F->handshake_count = 0;
96}
97
db137867 98static void
3202e249 99rb_ssl_timeout(rb_fde_t *F, void *notused)
db137867 100{
73d6283c
VY		 101 lrb_assert(F->accept != NULL);
102 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
db137867
AC		 103}
104
105
3202e249
VY		 106static void
107rb_ssl_info_callback(SSL * ssl, int where, int ret)
c2ac22cc
VY		 108{
109 if(where & SSL_CB_HANDSHAKE_START)
110 {
fe037171 111 rb_fde_t *F = SSL_get_ex_data(ssl, librb_index);
c2ac22cc
VY		 112 if(F == NULL)
113 return;
114 F->handshake_count++;
3202e249 115 }
c2ac22cc
VY		 116}
117
118static void
119rb_setup_ssl_cb(rb_fde_t *F)
120{
fe037171 121 SSL_set_ex_data(F->ssl, librb_index, (char *)F);
3202e249 122 SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
c2ac22cc
VY		 123}
124
db137867 125static void
3202e249 126rb_ssl_tryaccept(rb_fde_t *F, void *data)
db137867
AC		 127{
128 int ssl_err;
129 lrb_assert(F->accept != NULL);
73d6283c 130 int flags;
2142f691 131 struct acceptdata *ad;
db137867
AC		 132
133 if(!SSL_is_init_finished((SSL *) F->ssl))
134 {
135 if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
136 {
137 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
138 {
db137867
AC		 139 case SSL_ERROR_WANT_READ:
140 case SSL_ERROR_WANT_WRITE:
73d6283c
VY		 141 if(ssl_err == SSL_ERROR_WANT_WRITE)
142 flags = RB_SELECT_WRITE;
143 else
144 flags = RB_SELECT_READ;
145 F->ssl_errno = get_last_err();
146 rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
147 break;
148 case SSL_ERROR_SYSCALL:
149 F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
150 break;
db137867
AC		 151 default:
152 F->ssl_errno = get_last_err();
153 F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
154 break;
155 }
156 return;
157 }
158 }
159 rb_settimeout(F, 0, NULL, NULL);
160 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
3202e249 161
2142f691 162 ad = F->accept;
db137867 163 F->accept = NULL;
3202e249 164 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
2142f691 165 rb_free(ad);
db137867
AC		 166
167}
168
c2ac22cc
VY		 169
170static void
171rb_ssl_accept_common(rb_fde_t *new_F)
db137867
AC		 172{
173 int ssl_err;
db137867
AC		 174 if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
175 {
176 switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
177 {
178 case SSL_ERROR_SYSCALL:
179 if(rb_ignore_errno(errno))
180 case SSL_ERROR_WANT_READ:
181 case SSL_ERROR_WANT_WRITE:
182 {
183 new_F->ssl_errno = get_last_err();
184 rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
185 rb_ssl_tryaccept, NULL);
186 return;
187 }
188 default:
189 new_F->ssl_errno = get_last_err();
190 new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
191 return;
192 }
193 }
194 else
195 {
196 rb_ssl_tryaccept(new_F, NULL);
197 }
198}
199
c2ac22cc 200void
3202e249 201rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
c2ac22cc
VY		 202{
203 new_F->type |= RB_FD_SSL;
204 new_F->ssl = SSL_new(ssl_server_ctx);
205 new_F->accept = rb_malloc(sizeof(struct acceptdata));
206
207 new_F->accept->callback = cb;
208 new_F->accept->data = data;
209 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
210
211 new_F->accept->addrlen = 0;
212 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
213 rb_setup_ssl_cb(new_F);
214 rb_ssl_accept_common(new_F);
215}
216
db137867
AC		 217
218
219
220void
3202e249 221rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
db137867 222{
db137867
AC		 223 new_F->type |= RB_FD_SSL;
224 new_F->ssl = SSL_new(ssl_server_ctx);
225 new_F->accept = rb_malloc(sizeof(struct acceptdata));
226
227 new_F->accept->callback = F->accept->callback;
228 new_F->accept->data = F->accept->data;
229 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
230 memcpy(&new_F->accept->S, st, addrlen);
231 new_F->accept->addrlen = addrlen;
232
a9fb3ed0 233 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
c2ac22cc
VY		 234 rb_setup_ssl_cb(new_F);
235 rb_ssl_accept_common(new_F);
db137867
AC		 236}
237
238static ssize_t
3202e249 239rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
db137867
AC		 240{
241 ssize_t ret;
242 unsigned long err;
243 SSL *ssl = F->ssl;
244
245 if(r_or_w == 0)
3202e249 246 ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
db137867 247 else
3202e249 248 ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
db137867
AC		 249
250 if(ret < 0)
251 {
252 switch (SSL_get_error(ssl, ret))
253 {
254 case SSL_ERROR_WANT_READ:
255 errno = EAGAIN;
256 return RB_RW_SSL_NEED_READ;
257 case SSL_ERROR_WANT_WRITE:
258 errno = EAGAIN;
259 return RB_RW_SSL_NEED_WRITE;
260 case SSL_ERROR_ZERO_RETURN:
261 return 0;
262 case SSL_ERROR_SYSCALL:
263 err = get_last_err();
264 if(err == 0)
265 {
266 F->ssl_errno = 0;
267 return RB_RW_IO_ERROR;
268 }
269 break;
270 default:
271 err = get_last_err();
272 break;
273 }
274 F->ssl_errno = err;
275 if(err > 0)
276 {
277 errno = EIO; /* not great but... */
278 return RB_RW_SSL_ERROR;
279 }
280 return RB_RW_IO_ERROR;
281 }
282 return ret;
283}
284
285ssize_t
3202e249 286rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
db137867
AC		 287{
288 return rb_ssl_read_or_write(0, F, buf, NULL, count);
289}
290
291ssize_t
3202e249 292rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
db137867
AC		 293{
294 return rb_ssl_read_or_write(1, F, NULL, buf, count);
295}
296
7247337a
JT		 297static int
298verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
299{
300 return 1;
301}
302
918d73d5
JT		 303static const char *
304get_ssl_error(unsigned long err)
305{
306 static char buf[512];
307
308 ERR_error_string_n(err, buf, sizeof buf);
309 return buf;
310}
311
db137867
AC		 312int
313rb_init_ssl(void)
314{
315 int ret = 1;
fe037171
EM		 316 char librb_data[] = "librb data";
317 const char librb_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
db137867
AC		 318 SSL_load_error_strings();
319 SSL_library_init();
fe037171 320 librb_index = SSL_get_ex_new_index(0, librb_data, NULL, NULL, NULL);
a4c8c827 321
3ae24413 322#ifndef LRB_HAVE_TLS_METHOD_API
db137867 323 ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
a4c8c827
AJ		 324#else
325 ssl_server_ctx = SSL_CTX_new(TLS_server_method());
326#endif
327
db137867
AC		 328 if(ssl_server_ctx == NULL)
329 {
330 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
918d73d5 331 get_ssl_error(ERR_get_error()));
db137867
AC		 332 ret = 0;
333 }
a4c8c827
AJ		 334
335 long server_options = SSL_CTX_get_options(ssl_server_ctx);
336
3ae24413 337#ifndef LRB_HAVE_TLS_METHOD_API
a4c8c827
AJ		 338 server_options |= SSL_OP_NO_SSLv2;
339 server_options |= SSL_OP_NO_SSLv3;
340#endif
341
362ef2d9 342#ifdef SSL_OP_SINGLE_DH_USE
a4c8c827
AJ		 343 server_options |= SSL_OP_SINGLE_DH_USE;
344#endif
345
346#ifdef SSL_OP_SINGLE_ECDH_USE
347 server_options |= SSL_OP_SINGLE_ECDH_USE;
6b6a5799 348#endif
a4c8c827 349
6b6a5799 350#ifdef SSL_OP_NO_TICKET
a4c8c827 351 server_options |= SSL_OP_NO_TICKET;
362ef2d9 352#endif
a4c8c827
AJ		 353
354 server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
355
356 SSL_CTX_set_options(ssl_server_ctx, server_options);
7247337a 357 SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
989652e7 358 SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
fe037171 359 SSL_CTX_set_cipher_list(ssl_server_ctx, librb_ciphers);
b6e799f5 360
3a1f645b
EM		 361 /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available
362 * (it's not by default on Solaris or Red Hat... fuck Red Hat and Oracle)
363 */
364 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(OPENSSL_NO_ECDH)
9e26f000
KB		 365 EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
366 if (key) {
367 SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
368 EC_KEY_free(key);
369 }
31d22015 370 #endif
3202e249 371
3ae24413 372#ifndef LRB_HAVE_TLS_METHOD_API
25f7ee7d 373 ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
a4c8c827 374#else
c86f11da 375 ssl_client_ctx = SSL_CTX_new(TLS_client_method());
a4c8c827 376#endif
db137867
AC		 377
378 if(ssl_client_ctx == NULL)
379 {
380 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
918d73d5 381 get_ssl_error(ERR_get_error()));
db137867
AC		 382 ret = 0;
383 }
6b6a5799 384
25f7ee7d
AJ		 385#ifndef LRB_HAVE_TLS_METHOD_API
386 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
387#endif
388
6b6a5799
AM		 389#ifdef SSL_OP_NO_TICKET
390 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
391#endif
392
fe037171 393 SSL_CTX_set_cipher_list(ssl_client_ctx, librb_ciphers);
cb266283 394
db137867
AC		 395 return ret;
396}
397
398
399int
c1725bda 400rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
db137867 401{
db137867
AC		 402 DH *dh;
403 unsigned long err;
404 if(cert == NULL)
405 {
406 rb_lib_log("rb_setup_ssl_server: No certificate file");
407 return 0;
408 }
07e14084 409 if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
db137867
AC		 410 {
411 err = ERR_get_error();
412 rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
918d73d5 413 get_ssl_error(err));
db137867
AC		 414 return 0;
415 }
416
417 if(keyfile == NULL)
418 {
419 rb_lib_log("rb_setup_ssl_server: No key file");
420 return 0;
421 }
422
423
07e14084 424 if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
db137867
AC		 425 {
426 err = ERR_get_error();
427 rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
918d73d5 428 get_ssl_error(err));
db137867
AC		 429 return 0;
430 }
431
432 if(dhfile != NULL)
433 {
434 /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
3202e249
VY		 435 BIO *bio = BIO_new_file(dhfile, "r");
436 if(bio != NULL)
db137867 437 {
3202e249 438 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
db137867
AC		 439 if(dh == NULL)
440 {
441 err = ERR_get_error();
442 rb_lib_log
443 ("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
918d73d5 444 dhfile, get_ssl_error(err));
3202e249 445 BIO_free(bio);
db137867
AC		 446 return 0;
447 }
3202e249 448 BIO_free(bio);
db137867 449 SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
3202e249
VY		 450 }
451 else
452 {
453 err = ERR_get_error();
454 rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
918d73d5 455 dhfile, get_ssl_error(err));
db137867
AC		 456 }
457 }
c1725bda
AC		 458
459 if (cipher_list != NULL)
460 {
461 SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
462 }
463
db137867
AC		 464 return 1;
465}
466
467int
aa4737a0 468rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
db137867 469{
aa4737a0
AC		 470 int result;
471
472 result = rb_listen(F, backlog, defer_accept);
db137867 473 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
aa4737a0
AC		 474
475 return result;
db137867
AC		 476}
477
478struct ssl_connect
479{
480 CNCB *callback;
481 void *data;
482 int timeout;
483};
484
485static void
3202e249 486rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
db137867
AC		 487{
488 F->connect->callback = sconn->callback;
489 F->connect->data = sconn->data;
490 rb_free(sconn);
491 rb_connect_callback(F, status);
492}
493
494static void
3202e249 495rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
db137867
AC		 496{
497 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
498}
499
500static void
3202e249 501rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
db137867
AC		 502{
503 struct ssl_connect *sconn = data;
504 int ssl_err;
505 if(!SSL_is_init_finished((SSL *) F->ssl))
506 {
507 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
508 {
509 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
510 {
511 case SSL_ERROR_SYSCALL:
512 if(rb_ignore_errno(errno))
513 case SSL_ERROR_WANT_READ:
514 case SSL_ERROR_WANT_WRITE:
515 {
516 F->ssl_errno = get_last_err();
517 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
518 rb_ssl_tryconn_cb, sconn);
519 return;
520 }
521 default:
522 F->ssl_errno = get_last_err();
523 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
524 return;
525 }
526 }
527 else
528 {
529 rb_ssl_connect_realcb(F, RB_OK, sconn);
530 }
531 }
532}
533
534static void
3202e249 535rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
db137867
AC		 536{
537 struct ssl_connect *sconn = data;
538 int ssl_err;
539 if(status != RB_OK)
540 {
541 rb_ssl_connect_realcb(F, status, sconn);
542 return;
543 }
544
545 F->type |= RB_FD_SSL;
546 F->ssl = SSL_new(ssl_client_ctx);
547 SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc 548 rb_setup_ssl_cb(F);
db137867
AC		 549 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
550 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
551 {
552 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
553 {
554 case SSL_ERROR_SYSCALL:
555 if(rb_ignore_errno(errno))
556 case SSL_ERROR_WANT_READ:
557 case SSL_ERROR_WANT_WRITE:
558 {
559 F->ssl_errno = get_last_err();
560 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
561 rb_ssl_tryconn_cb, sconn);
562 return;
563 }
564 default:
565 F->ssl_errno = get_last_err();
566 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
567 return;
568 }
569 }
570 else
571 {
572 rb_ssl_connect_realcb(F, RB_OK, sconn);
573 }
574}
575
576void
3202e249 577rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
5ad62c80 578 struct sockaddr *clocal, CNCB * callback, void *data, int timeout)
db137867
AC		 579{
580 struct ssl_connect *sconn;
581 if(F == NULL)
582 return;
583
584 sconn = rb_malloc(sizeof(struct ssl_connect));
585 sconn->data = data;
586 sconn->callback = callback;
587 sconn->timeout = timeout;
5ad62c80 588 rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout);
db137867
AC		 589}
590
591void
3202e249 592rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
db137867
AC		 593{
594 struct ssl_connect *sconn;
595 int ssl_err;
596 if(F == NULL)
597 return;
598
599 sconn = rb_malloc(sizeof(struct ssl_connect));
600 sconn->data = data;
601 sconn->callback = callback;
602 sconn->timeout = timeout;
603 F->connect = rb_malloc(sizeof(struct conndata));
604 F->connect->callback = callback;
605 F->connect->data = data;
606 F->type |= RB_FD_SSL;
607 F->ssl = SSL_new(ssl_client_ctx);
3202e249 608
db137867 609 SSL_set_fd((SSL *) F->ssl, F->fd);
c2ac22cc 610 rb_setup_ssl_cb(F);
db137867
AC		 611 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
612 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
613 {
614 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
615 {
616 case SSL_ERROR_SYSCALL:
617 if(rb_ignore_errno(errno))
618 case SSL_ERROR_WANT_READ:
619 case SSL_ERROR_WANT_WRITE:
620 {
621 F->ssl_errno = get_last_err();
622 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
623 rb_ssl_tryconn_cb, sconn);
624 return;
625 }
626 default:
627 F->ssl_errno = get_last_err();
628 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
629 return;
630 }
631 }
632 else
633 {
634 rb_ssl_connect_realcb(F, RB_OK, sconn);
635 }
636}
637
638int
639rb_init_prng(const char *path, prng_seed_t seed_type)
640{
641 if(seed_type == RB_PRNG_DEFAULT)
642 {
3202e249 643#ifdef _WIN32
db137867
AC		 644 RAND_screen();
645#endif
646 return RAND_status();
647 }
648 if(path == NULL)
649 return RAND_status();
650
651 switch (seed_type)
652 {
db137867
AC		 653 case RB_PRNG_FILE:
654 if(RAND_load_file(path, -1) == -1)
655 return -1;
656 break;
3202e249 657#ifdef _WIN32
db137867
AC		 658 case RB_PRNGWIN32:
659 RAND_screen();
660 break;
661#endif
662 default:
663 return -1;
664 }
665
666 return RAND_status();
667}
668
669int
670rb_get_random(void *buf, size_t length)
671{
a9fb3ed0 672 int ret;
3202e249 673
a9fb3ed0 674 if((ret = RAND_bytes(buf, length)) == 0)
db137867 675 {
a9fb3ed0 676 /* remove the error from the queue */
3202e249 677 ERR_get_error();
db137867 678 }
a9fb3ed0 679 return ret;
db137867
AC		 680}
681
db137867 682const char *
3202e249 683rb_get_ssl_strerror(rb_fde_t *F)
db137867 684{
918d73d5 685 return get_ssl_error(F->ssl_errno);
db137867
AC		 686}
687
03469187
SA		 688static unsigned int
689make_certfp(X509 *cert, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
690{
691 const ASN1_ITEM *it;
692 const EVP_MD *evp;
693 void *data;
694 unsigned int len;
695
696 switch(method)
697 {
698 case RB_SSL_CERTFP_METH_CERT_SHA1:
699 it = ASN1_ITEM_rptr(X509);
700 evp = EVP_sha1();
701 data = cert;
702 len = RB_SSL_CERTFP_LEN_SHA1;
703 break;
704 case RB_SSL_CERTFP_METH_CERT_SHA256:
705 it = ASN1_ITEM_rptr(X509);
706 evp = EVP_sha256();
707 data = cert;
708 len = RB_SSL_CERTFP_LEN_SHA256;
709 break;
710 case RB_SSL_CERTFP_METH_CERT_SHA512:
711 it = ASN1_ITEM_rptr(X509);
712 evp = EVP_sha512();
713 data = cert;
714 len = RB_SSL_CERTFP_LEN_SHA512;
715 break;
716 case RB_SSL_CERTFP_METH_SPKI_SHA256:
717 it = ASN1_ITEM_rptr(X509_PUBKEY);
718 evp = EVP_sha256();
719 data = X509_get_X509_PUBKEY(cert);
720 len = RB_SSL_CERTFP_LEN_SHA256;
721 break;
722 case RB_SSL_CERTFP_METH_SPKI_SHA512:
723 it = ASN1_ITEM_rptr(X509_PUBKEY);
724 evp = EVP_sha512();
725 data = X509_get_X509_PUBKEY(cert);
726 len = RB_SSL_CERTFP_LEN_SHA512;
727 break;
728 default:
729 return 0;
730 }
731
732 if (ASN1_item_digest(it, evp, data, certfp, &len) != 1)
733 len = 0;
734 return len;
735}
736
7247337a 737int
e6bbb410 738rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
7247337a
JT		 739{
740 X509 *cert;
741 int res;
742
743 if (F->ssl == NULL)
744 return 0;
745
746 cert = SSL_get_peer_certificate((SSL *) F->ssl);
747 if(cert != NULL)
748 {
749 res = SSL_get_verify_result((SSL *) F->ssl);
614502a6
AJ		 750 if(
751 res == X509_V_OK ||
752 res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
753 res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
754 res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
e1f16ce2
SA		 755 res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
756 res == X509_V_ERR_CERT_UNTRUSTED ||
757 res == X509_V_ERR_CERT_NOT_YET_VALID ||
758 res == X509_V_ERR_CERT_HAS_EXPIRED)
7247337a 759 {
03469187 760 unsigned int len = make_certfp(cert, certfp, method);
97b0e99e 761 X509_free(cert);
e6bbb410 762 return len;
7247337a 763 }
b2d64e51 764 X509_free(cert);
7247337a
JT		 765 }
766
767 return 0;
768}
769
03469187
SA		 770int
771rb_get_ssl_certfp_file(const char *filename, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
772{
773 X509 *cert;
774 FILE *f = fopen(filename, "r");
775
776 if (!f)
777 return -1;
778
779 cert = PEM_read_X509(f, NULL, NULL, NULL);
780 fclose(f);
781
782 if (cert) {
783 unsigned int len = make_certfp(cert, certfp, method);
784 X509_free(cert);
785 return len;
786 }
787 return 0;
788}
789
db137867
AC		 790int
791rb_supports_ssl(void)
792{
793 return 1;
794}
795
030272f3
VY		 796void
797rb_get_ssl_info(char *buf, size_t len)
798{
5203cba5 799 snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
e732a57b
JT		 800 SSLeay_version(SSLEAY_VERSION),
801 (long)OPENSSL_VERSION_NUMBER, SSLeay());
030272f3
VY		 802}
803
833b2f9c
AC		 804const char *
805rb_ssl_get_cipher(rb_fde_t *F)
806{
807 const SSL_CIPHER *sslciph;
808
809 if(F == NULL || F->ssl == NULL)
810 return NULL;
811
812 if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
813 return NULL;
814
815 return SSL_CIPHER_get_name(sslciph);
816}
030272f3 817
db137867 818#endif /* HAVE_OPESSL */
Fork of solanum ircd, history is rebased regularly