]> jfr.im git - solanum.git/blob - librb/src/gnutls.c
projects / solanum.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
librb: gnutls: check return value of fread()
[solanum.git] / librb / src / gnutls.c
1 /*
2 * librb: a library used by charybdis and other things
3 * gnutls.c: gnutls related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
23 */
24
25 #include <librb_config.h>
26 #include <rb_lib.h>
27 #include <commio-int.h>
28 #include <commio-ssl.h>
29 #include <stdbool.h>
30 #ifdef HAVE_GNUTLS
31
32 #include <gnutls/gnutls.h>
33 #include <gnutls/x509.h>
34 #include <gnutls/abstract.h>
35
36 #if (GNUTLS_VERSION_MAJOR < 3)
37 # include <gcrypt.h>
38 #else
39 # include <gnutls/crypto.h>
40 #endif
41
42 static gnutls_certificate_credentials_t x509;
43 static gnutls_dh_params_t dh_params;
44 static gnutls_priority_t default_priority;
45
46 /* These are all used for getting GnuTLS to supply a client cert. */
47 #define MAX_CERTS 6
48 static unsigned int x509_cert_count;
49 static gnutls_x509_crt_t x509_cert[MAX_CERTS];
50 static gnutls_x509_privkey_t x509_key;
51 #if GNUTLS_VERSION_MAJOR < 3
52 static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
53 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st);
54 #else
55 static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
56 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st);
57 #endif
58
59 #define SSL_P(x) *((gnutls_session_t *)F->ssl)
60
61 void
62 rb_ssl_shutdown(rb_fde_t *F)
63 {
64 int i;
65 if(F == NULL || F->ssl == NULL)
66 return;
67 for(i = 0; i < 4; i++)
68 {
69 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
70 break;
71 }
72 gnutls_deinit(SSL_P(F));
73 rb_free(F->ssl);
74 }
75
76 unsigned int
77 rb_ssl_handshake_count(rb_fde_t *F)
78 {
79 return F->handshake_count;
80 }
81
82 void
83 rb_ssl_clear_handshake_count(rb_fde_t *F)
84 {
85 F->handshake_count = 0;
86 }
87
88 static void
89 rb_ssl_timeout(rb_fde_t *F, void *notused)
90 {
91 lrb_assert(F->accept != NULL);
92 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
93 }
94
95
96 static int
97 do_ssl_handshake(rb_fde_t *F, PF * callback, void *data)
98 {
99 int ret;
100 int flags;
101
102 ret = gnutls_handshake(SSL_P(F));
103 if(ret < 0)
104 {
105 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
106 {
107 if(gnutls_record_get_direction(SSL_P(F)) == 0)
108 flags = RB_SELECT_READ;
109 else
110 flags = RB_SELECT_WRITE;
111 rb_setselect(F, flags, callback, data);
112 return 0;
113 }
114 F->ssl_errno = ret;
115 return -1;
116 }
117 return 1; /* handshake is finished..go about life */
118 }
119
120 static void
121 rb_ssl_tryaccept(rb_fde_t *F, void *data)
122 {
123 int ret;
124 struct acceptdata *ad;
125
126 lrb_assert(F->accept != NULL);
127
128 ret = do_ssl_handshake(F, rb_ssl_tryaccept, NULL);
129
130 /* do_ssl_handshake does the rb_setselect */
131 if(ret == 0)
132 return;
133
134 ad = F->accept;
135 F->accept = NULL;
136 rb_settimeout(F, 0, NULL, NULL);
137 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
138
139 if(ret > 0)
140 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
141 else
142 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
143
144 rb_free(ad);
145 }
146
147 void
148 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
149 {
150 gnutls_session_t *ssl;
151 new_F->type |= RB_FD_SSL;
152 ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
153 new_F->accept = rb_malloc(sizeof(struct acceptdata));
154
155 new_F->accept->callback = cb;
156 new_F->accept->data = data;
157 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
158
159 new_F->accept->addrlen = 0;
160
161 gnutls_init(ssl, GNUTLS_SERVER);
162 gnutls_set_default_priority(*ssl);
163 gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
164 gnutls_dh_set_prime_bits(*ssl, 1024);
165 gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
166 gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
167 gnutls_priority_set(*ssl, default_priority);
168
169 if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL))
170 {
171 struct acceptdata *ad = new_F->accept;
172 new_F->accept = NULL;
173 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
174 rb_free(ad);
175 }
176
177 }
178
179
180
181
182 void
183 rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
184 {
185 new_F->type |= RB_FD_SSL;
186 new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
187 new_F->accept = rb_malloc(sizeof(struct acceptdata));
188
189 new_F->accept->callback = F->accept->callback;
190 new_F->accept->data = F->accept->data;
191 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
192 memcpy(&new_F->accept->S, st, addrlen);
193 new_F->accept->addrlen = addrlen;
194
195 gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
196 gnutls_set_default_priority(SSL_P(new_F));
197 gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
198 gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
199 gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
200 gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
201 gnutls_priority_set(SSL_P(F), default_priority);
202
203 if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL))
204 {
205 struct acceptdata *ad = F->accept;
206 F->accept = NULL;
207 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
208 rb_free(ad);
209 }
210 }
211
212
213
214
215 static ssize_t
216 rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
217 {
218 ssize_t ret;
219 gnutls_session_t *ssl = F->ssl;
220
221 if(r_or_w == 0)
222 ret = gnutls_record_recv(*ssl, rbuf, count);
223 else
224 ret = gnutls_record_send(*ssl, wbuf, count);
225
226 if(ret < 0)
227 {
228 switch (ret)
229 {
230 case GNUTLS_E_AGAIN:
231 case GNUTLS_E_INTERRUPTED:
232 if(rb_ignore_errno(errno))
233 {
234 if(gnutls_record_get_direction(*ssl) == 0)
235 return RB_RW_SSL_NEED_READ;
236 else
237 return RB_RW_SSL_NEED_WRITE;
238 break;
239 }
240 default:
241 F->ssl_errno = ret;
242 errno = EIO;
243 return RB_RW_IO_ERROR;
244 }
245 }
246 return ret;
247 }
248
249 ssize_t
250 rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
251 {
252 return rb_ssl_read_or_write(0, F, buf, NULL, count);
253 }
254
255 ssize_t
256 rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
257 {
258 return rb_ssl_read_or_write(1, F, NULL, buf, count);
259 }
260
261 #if (GNUTLS_VERSION_MAJOR < 3)
262 static void
263 rb_gcry_random_seed(void *unused)
264 {
265 gcry_fast_random_poll();
266 }
267 #endif
268
269 int
270 rb_init_ssl(void)
271 {
272 gnutls_global_init();
273
274 if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
275 {
276 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
277 return 0;
278 }
279
280 #if GNUTLS_VERSION_MAJOR < 3
281 gnutls_certificate_client_set_retrieve_function(x509, cert_callback);
282 #else
283 gnutls_certificate_set_retrieve_function(x509, cert_callback);
284 #endif
285
286 #if (GNUTLS_VERSION_MAJOR < 3)
287 rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
288 #endif
289
290 return 1;
291 }
292
293 /* We only have one certificate to authenticate with, as both client and server. Unfortunately,
294 * GnuTLS tries to be clever, and as client, will attempt to use a certificate that the server
295 * will trust. We usually use self-signed certs, though, so the result of this search is always
296 * nothing. Therefore, it uses no certificate to authenticate as a client. This is undesirable
297 * as it breaks fingerprint auth. Thus, we use this callback to force GnuTLS to always
298 * authenticate with our certificate at all times.
299 */
300 #if GNUTLS_VERSION_MAJOR < 3
301 static int
302 cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
303 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st)
304 #else
305 static int
306 cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
307 const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr2_st *st)
308 #endif
309 {
310 /* XXX - ugly hack. Tell GnuTLS to use the first (only) certificate we have for auth. */
311 #if (GNUTLS_VERSION_MAJOR < 3)
312 st->type = GNUTLS_CRT_X509;
313 #else
314 st->cert_type = GNUTLS_CRT_X509;
315 st->key_type = GNUTLS_PRIVKEY_X509;
316 #endif
317 st->ncerts = x509_cert_count;
318 st->cert.x509 = x509_cert;
319 st->key.x509 = x509_key;
320 st->deinit_all = 0;
321
322 return 0;
323 }
324
325 static void
326 rb_free_datum_t(gnutls_datum_t * d)
327 {
328 rb_free(d->data);
329 rb_free(d);
330 }
331
332 static gnutls_datum_t *
333 rb_load_file_into_datum_t(const char *file)
334 {
335 FILE *f;
336 gnutls_datum_t *datum;
337 struct stat fileinfo;
338 int count;
339 if((f = fopen(file, "r")) == NULL)
340 return NULL;
341 if(fstat(fileno(f), &fileinfo))
342 return NULL;
343
344 datum = rb_malloc(sizeof(gnutls_datum_t));
345
346 if(fileinfo.st_size > 131072) /* deal with retards */
347 datum->size = 131072;
348 else
349 datum->size = fileinfo.st_size;
350
351 datum->data = rb_malloc(datum->size + 1);
352 count = fread(datum->data, datum->size, 1, f);
353 fclose(f);
354
355 if(count != 1)
356 {
357 rb_free_datum_t(datum);
358 return NULL;
359 }
360 return datum;
361 }
362
363 int
364 rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
365 {
366 int ret;
367 const char *err;
368 gnutls_datum_t *d_cert, *d_key;
369 if(cert == NULL)
370 {
371 rb_lib_log("rb_setup_ssl_server: No certificate file");
372 return 0;
373 }
374
375 if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
376 {
377 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
378 return 0;
379 }
380
381 if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
382 {
383 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
384 return 0;
385 }
386
387 /* In addition to creating the certificate set, we also need to store our cert elsewhere
388 * so we can force GnuTLS to identify with it when acting as a client.
389 */
390 gnutls_x509_privkey_init(&x509_key);
391 if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
392 {
393 rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret));
394 return 0;
395 }
396
397 x509_cert_count = MAX_CERTS;
398 if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
399 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0)
400 {
401 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret));
402 return 0;
403 }
404 x509_cert_count = ret;
405
406 if((ret =
407 gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
408 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
409 {
410 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
411 gnutls_strerror(ret));
412 return 0;
413 }
414
415 rb_free_datum_t(d_cert);
416 rb_free_datum_t(d_key);
417
418 if(dhfile != NULL)
419 {
420 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
421 {
422 gnutls_datum_t *data;
423 int xret;
424 data = rb_load_file_into_datum_t(dhfile);
425 if(data != NULL)
426 {
427 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
428 GNUTLS_X509_FMT_PEM);
429 if(xret < 0)
430 rb_lib_log
431 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
432 gnutls_strerror(xret));
433 rb_free_datum_t(data);
434 }
435 gnutls_certificate_set_dh_params(x509, dh_params);
436 }
437 else
438 rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
439 }
440
441 ret = gnutls_priority_init(&default_priority, cipher_list, &err);
442 if (ret < 0)
443 {
444 rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err);
445 gnutls_priority_init(&default_priority, NULL, &err);
446 return 1;
447 }
448
449 return 1;
450 }
451
452 int
453 rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
454 {
455 int result;
456
457 result = rb_listen(F, backlog, defer_accept);
458 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
459
460 return result;
461 }
462
463 struct ssl_connect
464 {
465 CNCB *callback;
466 void *data;
467 int timeout;
468 };
469
470 static void
471 rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
472 {
473 F->connect->callback = sconn->callback;
474 F->connect->data = sconn->data;
475 rb_free(sconn);
476 rb_connect_callback(F, status);
477 }
478
479 static void
480 rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
481 {
482 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
483 }
484
485 static void
486 rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
487 {
488 struct ssl_connect *sconn = data;
489 int ret;
490
491 ret = do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
492
493 switch (ret)
494 {
495 case -1:
496 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
497 break;
498 case 0:
499 /* do_ssl_handshake does the rb_setselect stuff */
500 return;
501 default:
502 break;
503
504
505 }
506 rb_ssl_connect_realcb(F, RB_OK, sconn);
507 }
508
509 static void
510 rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
511 {
512 struct ssl_connect *sconn = data;
513 if(status != RB_OK)
514 {
515 rb_ssl_connect_realcb(F, status, sconn);
516 return;
517 }
518
519 F->type |= RB_FD_SSL;
520
521
522 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
523 F->ssl = rb_malloc(sizeof(gnutls_session_t));
524 gnutls_init(F->ssl, GNUTLS_CLIENT);
525 gnutls_set_default_priority(SSL_P(F));
526 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
527 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
528 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
529 gnutls_priority_set(SSL_P(F), default_priority);
530
531 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
532 }
533
534 void
535 rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
536 struct sockaddr *clocal, CNCB * callback, void *data, int timeout)
537 {
538 struct ssl_connect *sconn;
539 if(F == NULL)
540 return;
541
542 sconn = rb_malloc(sizeof(struct ssl_connect));
543 sconn->data = data;
544 sconn->callback = callback;
545 sconn->timeout = timeout;
546 rb_connect_tcp(F, dest, clocal, rb_ssl_tryconn, sconn, timeout);
547
548 }
549
550 void
551 rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
552 {
553 struct ssl_connect *sconn;
554 if(F == NULL)
555 return;
556
557 sconn = rb_malloc(sizeof(struct ssl_connect));
558 sconn->data = data;
559 sconn->callback = callback;
560 sconn->timeout = timeout;
561 F->connect = rb_malloc(sizeof(struct conndata));
562 F->connect->callback = callback;
563 F->connect->data = data;
564 F->type |= RB_FD_SSL;
565 F->ssl = rb_malloc(sizeof(gnutls_session_t));
566
567 gnutls_init(F->ssl, GNUTLS_CLIENT);
568 gnutls_set_default_priority(SSL_P(F));
569 gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
570 gnutls_dh_set_prime_bits(SSL_P(F), 1024);
571 gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
572 gnutls_priority_set(SSL_P(F), default_priority);
573
574 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
575
576 do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
577 }
578
579 int
580 rb_init_prng(const char *path, prng_seed_t seed_type)
581 {
582 #if GNUTLS_VERSION_MAJOR < 3
583 gcry_fast_random_poll();
584 #endif
585 return 1;
586 }
587
588 int
589 rb_get_random(void *buf, size_t length)
590 {
591 #if GNUTLS_VERSION_MAJOR < 3
592 gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
593 #else
594 gnutls_rnd(GNUTLS_RND_KEY, buf, length);
595 #endif
596 return 1;
597 }
598
599 const char *
600 rb_get_ssl_strerror(rb_fde_t *F)
601 {
602 return gnutls_strerror(F->ssl_errno);
603 }
604
605 int
606 rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
607 {
608 gnutls_x509_crt_t cert;
609 gnutls_digest_algorithm_t algo;
610 unsigned int cert_list_size;
611 const gnutls_datum_t *cert_list;
612 uint8_t digest[RB_SSL_CERTFP_LEN * 2];
613 size_t digest_size;
614 int len;
615 bool spki = false;
616
617 if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
618 return 0;
619
620 if (gnutls_x509_crt_init(&cert) < 0)
621 return 0;
622
623 cert_list_size = 0;
624 cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
625 if (cert_list == NULL)
626 {
627 gnutls_x509_crt_deinit(cert);
628 return 0;
629 }
630
631 if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
632 {
633 gnutls_x509_crt_deinit(cert);
634 return 0;
635 }
636
637 switch(method)
638 {
639 case RB_SSL_CERTFP_METH_CERT_SHA1:
640 algo = GNUTLS_DIG_SHA1;
641 len = RB_SSL_CERTFP_LEN_SHA1;
642 break;
643 case RB_SSL_CERTFP_METH_SPKI_SHA256:
644 spki = true;
645 case RB_SSL_CERTFP_METH_CERT_SHA256:
646 algo = GNUTLS_DIG_SHA256;
647 len = RB_SSL_CERTFP_LEN_SHA256;
648 break;
649 case RB_SSL_CERTFP_METH_SPKI_SHA512:
650 spki = true;
651 case RB_SSL_CERTFP_METH_CERT_SHA512:
652 algo = GNUTLS_DIG_SHA512;
653 len = RB_SSL_CERTFP_LEN_SHA512;
654 break;
655 default:
656 return 0;
657 }
658
659 if (!spki)
660 {
661 if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
662 len = 0;
663 }
664 else
665 {
666 gnutls_pubkey_t pubkey;
667 unsigned char *der_pubkey = NULL;
668 size_t der_pubkey_len = 0;
669
670 if (gnutls_pubkey_init(&pubkey) == GNUTLS_E_SUCCESS)
671 {
672 if (gnutls_pubkey_import_x509(pubkey, cert, 0) == GNUTLS_E_SUCCESS)
673 {
674 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) == GNUTLS_E_SHORT_MEMORY_BUFFER)
675 {
676 der_pubkey = rb_malloc(der_pubkey_len);
677
678 if (gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, der_pubkey, &der_pubkey_len) != GNUTLS_E_SUCCESS)
679 {
680 rb_free(der_pubkey);
681 der_pubkey = NULL;
682 }
683 }
684 }
685
686 gnutls_pubkey_deinit(pubkey);
687 }
688
689 if (der_pubkey)
690 {
691 if (gnutls_hash_fast(algo, der_pubkey, der_pubkey_len, digest) != 0)
692 len = 0;
693
694 rb_free(der_pubkey);
695 }
696 else
697 {
698 len = 0;
699 }
700 }
701
702 if (len)
703 memcpy(certfp, digest, len);
704
705 gnutls_x509_crt_deinit(cert);
706 return len;
707 }
708
709 int
710 rb_supports_ssl(void)
711 {
712 return 1;
713 }
714
715 void
716 rb_get_ssl_info(char *buf, size_t len)
717 {
718 snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
719 LIBGNUTLS_VERSION, gnutls_check_version(NULL));
720 }
721
722 const char *
723 rb_ssl_get_cipher(rb_fde_t *F)
724 {
725 static char buf[1024];
726
727 snprintf(buf, sizeof(buf), "%s-%s-%s-%s",
728 gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))),
729 gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))),
730 gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))),
731 gnutls_mac_get_name(gnutls_mac_get(SSL_P(F))));
732
733 return buf;
734 }
735
736 #endif /* HAVE_GNUTLS */
Fork of solanum ircd, history is rebased regularly