]> jfr.im git - solanum.git/blob - libratbox/src/openssl.c
projects / solanum.git / blob
? search:


48ae2f8c5b8eecddb50294e422d233e027832bad
[solanum.git] / libratbox / src / openssl.c
1 /*
2 * libratbox: a library used by ircd-ratbox and other things
3 * openssl.c: openssl related code
4 *
5 * Copyright (C) 2007-2008 ircd-ratbox development team
6 * Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 * USA
22 *
23 * $Id: commio.c 24808 2008-01-02 08:17:05Z androsyn $
24 */
25
26 #include <libratbox_config.h>
27 #include <ratbox_lib.h>
28
29 #ifdef HAVE_OPENSSL
30
31 #include <commio-int.h>
32 #include <commio-ssl.h>
33 #include <openssl/ssl.h>
34 #include <openssl/dh.h>
35 #include <openssl/err.h>
36 #include <openssl/evp.h>
37 #include <openssl/rand.h>
38 #include <openssl/opensslv.h>
39
40 /*
41 * This is a mess but what can you do when the library authors
42 * refuse to play ball with established conventions?
43 */
44 #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x20020002L)
45 # define LRB_HAVE_TLS_METHOD_API 1
46 #else
47 # if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
48 # define LRB_HAVE_TLS_METHOD_API 1
49 # endif
50 #endif
51
52 static SSL_CTX *ssl_server_ctx;
53 static SSL_CTX *ssl_client_ctx;
54 static int libratbox_index = -1;
55
56 static unsigned long
57 get_last_err(void)
58 {
59 unsigned long t_err, err = 0;
60 err = ERR_get_error();
61 if(err == 0)
62 return 0;
63
64 while((t_err = ERR_get_error()) > 0)
65 err = t_err;
66
67 return err;
68 }
69
70 void
71 rb_ssl_shutdown(rb_fde_t *F)
72 {
73 int i;
74 if(F == NULL || F->ssl == NULL)
75 return;
76 SSL_set_shutdown((SSL *) F->ssl, SSL_RECEIVED_SHUTDOWN);
77
78 for(i = 0; i < 4; i++)
79 {
80 if(SSL_shutdown((SSL *) F->ssl))
81 break;
82 }
83 get_last_err();
84 SSL_free((SSL *) F->ssl);
85 }
86
87 unsigned int
88 rb_ssl_handshake_count(rb_fde_t *F)
89 {
90 return F->handshake_count;
91 }
92
93 void
94 rb_ssl_clear_handshake_count(rb_fde_t *F)
95 {
96 F->handshake_count = 0;
97 }
98
99 static void
100 rb_ssl_timeout(rb_fde_t *F, void *notused)
101 {
102 lrb_assert(F->accept != NULL);
103 F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
104 }
105
106
107 static void
108 rb_ssl_info_callback(SSL * ssl, int where, int ret)
109 {
110 if(where & SSL_CB_HANDSHAKE_START)
111 {
112 rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
113 if(F == NULL)
114 return;
115 F->handshake_count++;
116 }
117 }
118
119 static void
120 rb_setup_ssl_cb(rb_fde_t *F)
121 {
122 SSL_set_ex_data(F->ssl, libratbox_index, (char *)F);
123 SSL_set_info_callback((SSL *) F->ssl, (void (*)(const SSL *,int,int))rb_ssl_info_callback);
124 }
125
126 static void
127 rb_ssl_tryaccept(rb_fde_t *F, void *data)
128 {
129 int ssl_err;
130 lrb_assert(F->accept != NULL);
131 int flags;
132 struct acceptdata *ad;
133
134 if(!SSL_is_init_finished((SSL *) F->ssl))
135 {
136 if((ssl_err = SSL_accept((SSL *) F->ssl)) <= 0)
137 {
138 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
139 {
140 case SSL_ERROR_WANT_READ:
141 case SSL_ERROR_WANT_WRITE:
142 if(ssl_err == SSL_ERROR_WANT_WRITE)
143 flags = RB_SELECT_WRITE;
144 else
145 flags = RB_SELECT_READ;
146 F->ssl_errno = get_last_err();
147 rb_setselect(F, flags, rb_ssl_tryaccept, NULL);
148 break;
149 case SSL_ERROR_SYSCALL:
150 F->accept->callback(F, RB_ERROR, NULL, 0, F->accept->data);
151 break;
152 default:
153 F->ssl_errno = get_last_err();
154 F->accept->callback(F, RB_ERROR_SSL, NULL, 0, F->accept->data);
155 break;
156 }
157 return;
158 }
159 }
160 rb_settimeout(F, 0, NULL, NULL);
161 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
162
163 ad = F->accept;
164 F->accept = NULL;
165 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
166 rb_free(ad);
167
168 }
169
170
171 static void
172 rb_ssl_accept_common(rb_fde_t *new_F)
173 {
174 int ssl_err;
175 if((ssl_err = SSL_accept((SSL *) new_F->ssl)) <= 0)
176 {
177 switch (ssl_err = SSL_get_error((SSL *) new_F->ssl, ssl_err))
178 {
179 case SSL_ERROR_SYSCALL:
180 if(rb_ignore_errno(errno))
181 case SSL_ERROR_WANT_READ:
182 case SSL_ERROR_WANT_WRITE:
183 {
184 new_F->ssl_errno = get_last_err();
185 rb_setselect(new_F, RB_SELECT_READ | RB_SELECT_WRITE,
186 rb_ssl_tryaccept, NULL);
187 return;
188 }
189 default:
190 new_F->ssl_errno = get_last_err();
191 new_F->accept->callback(new_F, RB_ERROR_SSL, NULL, 0, new_F->accept->data);
192 return;
193 }
194 }
195 else
196 {
197 rb_ssl_tryaccept(new_F, NULL);
198 }
199 }
200
201 void
202 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
203 {
204 new_F->type |= RB_FD_SSL;
205 new_F->ssl = SSL_new(ssl_server_ctx);
206 new_F->accept = rb_malloc(sizeof(struct acceptdata));
207
208 new_F->accept->callback = cb;
209 new_F->accept->data = data;
210 rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
211
212 new_F->accept->addrlen = 0;
213 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
214 rb_setup_ssl_cb(new_F);
215 rb_ssl_accept_common(new_F);
216 }
217
218
219
220
221 void
222 rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
223 {
224 new_F->type |= RB_FD_SSL;
225 new_F->ssl = SSL_new(ssl_server_ctx);
226 new_F->accept = rb_malloc(sizeof(struct acceptdata));
227
228 new_F->accept->callback = F->accept->callback;
229 new_F->accept->data = F->accept->data;
230 rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
231 memcpy(&new_F->accept->S, st, addrlen);
232 new_F->accept->addrlen = addrlen;
233
234 SSL_set_fd((SSL *) new_F->ssl, rb_get_fd(new_F));
235 rb_setup_ssl_cb(new_F);
236 rb_ssl_accept_common(new_F);
237 }
238
239 static ssize_t
240 rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
241 {
242 ssize_t ret;
243 unsigned long err;
244 SSL *ssl = F->ssl;
245
246 if(r_or_w == 0)
247 ret = (ssize_t) SSL_read(ssl, rbuf, (int)count);
248 else
249 ret = (ssize_t) SSL_write(ssl, wbuf, (int)count);
250
251 if(ret < 0)
252 {
253 switch (SSL_get_error(ssl, ret))
254 {
255 case SSL_ERROR_WANT_READ:
256 errno = EAGAIN;
257 return RB_RW_SSL_NEED_READ;
258 case SSL_ERROR_WANT_WRITE:
259 errno = EAGAIN;
260 return RB_RW_SSL_NEED_WRITE;
261 case SSL_ERROR_ZERO_RETURN:
262 return 0;
263 case SSL_ERROR_SYSCALL:
264 err = get_last_err();
265 if(err == 0)
266 {
267 F->ssl_errno = 0;
268 return RB_RW_IO_ERROR;
269 }
270 break;
271 default:
272 err = get_last_err();
273 break;
274 }
275 F->ssl_errno = err;
276 if(err > 0)
277 {
278 errno = EIO; /* not great but... */
279 return RB_RW_SSL_ERROR;
280 }
281 return RB_RW_IO_ERROR;
282 }
283 return ret;
284 }
285
286 ssize_t
287 rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
288 {
289 return rb_ssl_read_or_write(0, F, buf, NULL, count);
290 }
291
292 ssize_t
293 rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
294 {
295 return rb_ssl_read_or_write(1, F, NULL, buf, count);
296 }
297
298 static int
299 verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
300 {
301 return 1;
302 }
303
304 static const char *
305 get_ssl_error(unsigned long err)
306 {
307 static char buf[512];
308
309 ERR_error_string_n(err, buf, sizeof buf);
310 return buf;
311 }
312
313 int
314 rb_init_ssl(void)
315 {
316 int ret = 1;
317 char libratbox_data[] = "libratbox data";
318 const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
319 SSL_load_error_strings();
320 SSL_library_init();
321 libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
322
323 #ifndef LRB_HAVE_TLS_METHOD_API
324 ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
325 #else
326 ssl_server_ctx = SSL_CTX_new(TLS_server_method());
327 #endif
328
329 if(ssl_server_ctx == NULL)
330 {
331 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
332 get_ssl_error(ERR_get_error()));
333 ret = 0;
334 }
335
336 long server_options = SSL_CTX_get_options(ssl_server_ctx);
337
338 #ifndef LRB_HAVE_TLS_METHOD_API
339 server_options |= SSL_OP_NO_SSLv2;
340 server_options |= SSL_OP_NO_SSLv3;
341 #endif
342
343 #ifdef SSL_OP_SINGLE_DH_USE
344 server_options |= SSL_OP_SINGLE_DH_USE;
345 #endif
346
347 #ifdef SSL_OP_SINGLE_ECDH_USE
348 server_options |= SSL_OP_SINGLE_ECDH_USE;
349 #endif
350
351 #ifdef SSL_OP_NO_TICKET
352 server_options |= SSL_OP_NO_TICKET;
353 #endif
354
355 server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
356
357 SSL_CTX_set_options(ssl_server_ctx, server_options);
358 SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
359 SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
360 SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
361
362 /* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
363 and bastardise their OpenSSL for stupid reasons... */
364 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
365 EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
366 if (key) {
367 SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
368 EC_KEY_free(key);
369 }
370 #endif
371
372 #ifndef LRB_HAVE_TLS_METHOD_API
373 ssl_client_ctx = SSL_CTX_new(SSLv23_client_method());
374 #else
375 ssl_client_ctx = SSL_CTX_new(TLS_client_method());
376 #endif
377
378 if(ssl_client_ctx == NULL)
379 {
380 rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL client context: %s",
381 get_ssl_error(ERR_get_error()));
382 ret = 0;
383 }
384
385 #ifndef LRB_HAVE_TLS_METHOD_API
386 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
387 #endif
388
389 #ifdef SSL_OP_NO_TICKET
390 SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
391 #endif
392
393 SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
394
395 return ret;
396 }
397
398
399 int
400 rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
401 {
402 DH *dh;
403 unsigned long err;
404 if(cert == NULL)
405 {
406 rb_lib_log("rb_setup_ssl_server: No certificate file");
407 return 0;
408 }
409 if(!SSL_CTX_use_certificate_chain_file(ssl_server_ctx, cert) || !SSL_CTX_use_certificate_chain_file(ssl_client_ctx, cert))
410 {
411 err = ERR_get_error();
412 rb_lib_log("rb_setup_ssl_server: Error loading certificate file [%s]: %s", cert,
413 get_ssl_error(err));
414 return 0;
415 }
416
417 if(keyfile == NULL)
418 {
419 rb_lib_log("rb_setup_ssl_server: No key file");
420 return 0;
421 }
422
423
424 if(!SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ssl_client_ctx, keyfile, SSL_FILETYPE_PEM))
425 {
426 err = ERR_get_error();
427 rb_lib_log("rb_setup_ssl_server: Error loading keyfile [%s]: %s", keyfile,
428 get_ssl_error(err));
429 return 0;
430 }
431
432 if(dhfile != NULL)
433 {
434 /* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
435 BIO *bio = BIO_new_file(dhfile, "r");
436 if(bio != NULL)
437 {
438 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
439 if(dh == NULL)
440 {
441 err = ERR_get_error();
442 rb_lib_log
443 ("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
444 dhfile, get_ssl_error(err));
445 BIO_free(bio);
446 return 0;
447 }
448 BIO_free(bio);
449 SSL_CTX_set_tmp_dh(ssl_server_ctx, dh);
450 }
451 else
452 {
453 err = ERR_get_error();
454 rb_lib_log("rb_setup_ssl_server: Error loading DH params file [%s]: %s",
455 dhfile, get_ssl_error(err));
456 }
457 }
458
459 if (cipher_list != NULL)
460 {
461 SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list);
462 }
463
464 return 1;
465 }
466
467 int
468 rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
469 {
470 int result;
471
472 result = rb_listen(F, backlog, defer_accept);
473 F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
474
475 return result;
476 }
477
478 struct ssl_connect
479 {
480 CNCB *callback;
481 void *data;
482 int timeout;
483 };
484
485 static void
486 rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
487 {
488 F->connect->callback = sconn->callback;
489 F->connect->data = sconn->data;
490 rb_free(sconn);
491 rb_connect_callback(F, status);
492 }
493
494 static void
495 rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
496 {
497 rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
498 }
499
500 static void
501 rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
502 {
503 struct ssl_connect *sconn = data;
504 int ssl_err;
505 if(!SSL_is_init_finished((SSL *) F->ssl))
506 {
507 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
508 {
509 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
510 {
511 case SSL_ERROR_SYSCALL:
512 if(rb_ignore_errno(errno))
513 case SSL_ERROR_WANT_READ:
514 case SSL_ERROR_WANT_WRITE:
515 {
516 F->ssl_errno = get_last_err();
517 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
518 rb_ssl_tryconn_cb, sconn);
519 return;
520 }
521 default:
522 F->ssl_errno = get_last_err();
523 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
524 return;
525 }
526 }
527 else
528 {
529 rb_ssl_connect_realcb(F, RB_OK, sconn);
530 }
531 }
532 }
533
534 static void
535 rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
536 {
537 struct ssl_connect *sconn = data;
538 int ssl_err;
539 if(status != RB_OK)
540 {
541 rb_ssl_connect_realcb(F, status, sconn);
542 return;
543 }
544
545 F->type |= RB_FD_SSL;
546 F->ssl = SSL_new(ssl_client_ctx);
547 SSL_set_fd((SSL *) F->ssl, F->fd);
548 rb_setup_ssl_cb(F);
549 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
550 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
551 {
552 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
553 {
554 case SSL_ERROR_SYSCALL:
555 if(rb_ignore_errno(errno))
556 case SSL_ERROR_WANT_READ:
557 case SSL_ERROR_WANT_WRITE:
558 {
559 F->ssl_errno = get_last_err();
560 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
561 rb_ssl_tryconn_cb, sconn);
562 return;
563 }
564 default:
565 F->ssl_errno = get_last_err();
566 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
567 return;
568 }
569 }
570 else
571 {
572 rb_ssl_connect_realcb(F, RB_OK, sconn);
573 }
574 }
575
576 void
577 rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
578 struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
579 {
580 struct ssl_connect *sconn;
581 if(F == NULL)
582 return;
583
584 sconn = rb_malloc(sizeof(struct ssl_connect));
585 sconn->data = data;
586 sconn->callback = callback;
587 sconn->timeout = timeout;
588 rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
589
590 }
591
592 void
593 rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
594 {
595 struct ssl_connect *sconn;
596 int ssl_err;
597 if(F == NULL)
598 return;
599
600 sconn = rb_malloc(sizeof(struct ssl_connect));
601 sconn->data = data;
602 sconn->callback = callback;
603 sconn->timeout = timeout;
604 F->connect = rb_malloc(sizeof(struct conndata));
605 F->connect->callback = callback;
606 F->connect->data = data;
607 F->type |= RB_FD_SSL;
608 F->ssl = SSL_new(ssl_client_ctx);
609
610 SSL_set_fd((SSL *) F->ssl, F->fd);
611 rb_setup_ssl_cb(F);
612 rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
613 if((ssl_err = SSL_connect((SSL *) F->ssl)) <= 0)
614 {
615 switch (ssl_err = SSL_get_error((SSL *) F->ssl, ssl_err))
616 {
617 case SSL_ERROR_SYSCALL:
618 if(rb_ignore_errno(errno))
619 case SSL_ERROR_WANT_READ:
620 case SSL_ERROR_WANT_WRITE:
621 {
622 F->ssl_errno = get_last_err();
623 rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE,
624 rb_ssl_tryconn_cb, sconn);
625 return;
626 }
627 default:
628 F->ssl_errno = get_last_err();
629 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
630 return;
631 }
632 }
633 else
634 {
635 rb_ssl_connect_realcb(F, RB_OK, sconn);
636 }
637 }
638
639 int
640 rb_init_prng(const char *path, prng_seed_t seed_type)
641 {
642 if(seed_type == RB_PRNG_DEFAULT)
643 {
644 #ifdef _WIN32
645 RAND_screen();
646 #endif
647 return RAND_status();
648 }
649 if(path == NULL)
650 return RAND_status();
651
652 switch (seed_type)
653 {
654 case RB_PRNG_FILE:
655 if(RAND_load_file(path, -1) == -1)
656 return -1;
657 break;
658 #ifdef _WIN32
659 case RB_PRNGWIN32:
660 RAND_screen();
661 break;
662 #endif
663 default:
664 return -1;
665 }
666
667 return RAND_status();
668 }
669
670 int
671 rb_get_random(void *buf, size_t length)
672 {
673 int ret;
674
675 if((ret = RAND_bytes(buf, length)) == 0)
676 {
677 /* remove the error from the queue */
678 ERR_get_error();
679 }
680 return ret;
681 }
682
683 const char *
684 rb_get_ssl_strerror(rb_fde_t *F)
685 {
686 return get_ssl_error(F->ssl_errno);
687 }
688
689 int
690 rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
691 {
692 X509 *cert;
693 int res;
694
695 if (F->ssl == NULL)
696 return 0;
697
698 cert = SSL_get_peer_certificate((SSL *) F->ssl);
699 if(cert != NULL)
700 {
701 res = SSL_get_verify_result((SSL *) F->ssl);
702 if(
703 res == X509_V_OK ||
704 res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
705 res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
706 res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
707 res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
708 {
709 const EVP_MD *evp;
710 unsigned int len;
711
712 switch(method)
713 {
714 case RB_SSL_CERTFP_METH_SHA1:
715 evp = EVP_sha1();
716 len = RB_SSL_CERTFP_LEN_SHA1;
717 break;
718 case RB_SSL_CERTFP_METH_SHA256:
719 evp = EVP_sha256();
720 len = RB_SSL_CERTFP_LEN_SHA256;
721 break;
722 case RB_SSL_CERTFP_METH_SHA512:
723 evp = EVP_sha512();
724 len = RB_SSL_CERTFP_LEN_SHA512;
725 break;
726 default:
727 return 0;
728 }
729
730 X509_digest(cert, evp, certfp, &len);
731 X509_free(cert);
732 return len;
733 }
734 X509_free(cert);
735 }
736
737 return 0;
738 }
739
740 int
741 rb_supports_ssl(void)
742 {
743 return 1;
744 }
745
746 void
747 rb_get_ssl_info(char *buf, size_t len)
748 {
749 snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
750 SSLeay_version(SSLEAY_VERSION),
751 (long)OPENSSL_VERSION_NUMBER, SSLeay());
752 }
753
754 const char *
755 rb_ssl_get_cipher(rb_fde_t *F)
756 {
757 const SSL_CIPHER *sslciph;
758
759 if(F == NULL || F->ssl == NULL)
760 return NULL;
761
762 if((sslciph = SSL_get_current_cipher(F->ssl)) == NULL)
763 return NULL;
764
765 return SSL_CIPHER_get_name(sslciph);
766 }
767
768 #endif /* HAVE_OPESSL */
Fork of solanum ircd, history is rebased regularly