libratbox/src/gnutls.c

   1 /*
   2  *  libratbox: a library used by ircd-ratbox and other things
   3  *  gnutls.c: gnutls related code
   4  *
   5  *  Copyright (C) 2007-2008 ircd-ratbox development team
   6  *  Copyright (C) 2007-2008 Aaron Sethman <androsyn@ratbox.org>
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License
  19  *  along with this program; if not, write to the Free Software
  20  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
  21  *  USA
  22  *
  23  *  $Id: gnutls.c 26296 2008-12-13 03:36:00Z androsyn $
  24  */
  25
  26 #include <libratbox_config.h>
  27 #include <ratbox_lib.h>
  28 #include <commio-int.h>
  29 #include <commio-ssl.h>
  30 #ifdef HAVE_GNUTLS
  31
  32 #include <gnutls/gnutls.h>
  33 #include <gnutls/x509.h>
  34 #include <gnutls/crypto.h>
  35
  36 #if GNUTLS_VERSION_MAJOR < 3
  37 # include <gcrypt.h>
  38 #endif
  39
  40 static gnutls_certificate_credentials x509;
  41 static gnutls_dh_params dh_params;
  42 static gnutls_priority_t default_priority;
  43
  44 /* These are all used for getting GnuTLS to supply a client cert. */
  45 #define MAX_CERTS 6
  46 static unsigned int x509_cert_count;
  47 static gnutls_x509_crt_t x509_cert[MAX_CERTS];
  48 static gnutls_x509_privkey_t x509_key;
  49 static int cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
  50         const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st);
  51
  52
  53 #define SSL_P(x) *((gnutls_session_t *)F->ssl)
  54
  55 void
  56 rb_ssl_shutdown(rb_fde_t *F)
  57 {
  58         int i;
  59         if(F == NULL || F->ssl == NULL)
  60                 return;
  61         for(i = 0; i < 4; i++)
  62         {
  63                 if(gnutls_bye(SSL_P(F), GNUTLS_SHUT_RDWR) == GNUTLS_E_SUCCESS)
  64                         break;
  65         }
  66         gnutls_deinit(SSL_P(F));
  67         rb_free(F->ssl);
  68 }
  69
  70 unsigned int
  71 rb_ssl_handshake_count(rb_fde_t *F)
  72 {
  73         return F->handshake_count;
  74 }
  75
  76 void
  77 rb_ssl_clear_handshake_count(rb_fde_t *F)
  78 {
  79         F->handshake_count = 0;
  80 }
  81
  82 static void
  83 rb_ssl_timeout(rb_fde_t *F, void *notused)
  84 {
  85         lrb_assert(F->accept != NULL);
  86         F->accept->callback(F, RB_ERR_TIMEOUT, NULL, 0, F->accept->data);
  87 }
  88
  89
  90 static int
  91 do_ssl_handshake(rb_fde_t *F, PF * callback, void *data)
  92 {
  93         int ret;
  94         int flags;
  95
  96         ret = gnutls_handshake(SSL_P(F));
  97         if(ret < 0)
  98         {
  99                 if((ret == GNUTLS_E_INTERRUPTED && rb_ignore_errno(errno)) || ret == GNUTLS_E_AGAIN)
 100                 {
 101                         if(gnutls_record_get_direction(SSL_P(F)) == 0)
 102                                 flags = RB_SELECT_READ;
 103                         else
 104                                 flags = RB_SELECT_WRITE;
 105                         rb_setselect(F, flags, callback, data);
 106                         return 0;
 107                 }
 108                 F->ssl_errno = ret;
 109                 return -1;
 110         }
 111         return 1;               /* handshake is finished..go about life */
 112 }
 113
 114 static void
 115 rb_ssl_tryaccept(rb_fde_t *F, void *data)
 116 {
 117         int ret;
 118         struct acceptdata *ad;
 119
 120         lrb_assert(F->accept != NULL);
 121
 122         ret = do_ssl_handshake(F, rb_ssl_tryaccept, NULL);
 123
 124         /* do_ssl_handshake does the rb_setselect */
 125         if(ret == 0)
 126                 return;
 127
 128         ad = F->accept;
 129         F->accept = NULL;
 130         rb_settimeout(F, 0, NULL, NULL);
 131         rb_setselect(F, RB_SELECT_READ | RB_SELECT_WRITE, NULL, NULL);
 132
 133         if(ret > 0)
 134                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 135         else
 136                 ad->callback(F, RB_ERROR_SSL, NULL, 0, ad->data);
 137
 138         rb_free(ad);
 139 }
 140
 141 void
 142 rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
 143 {
 144         gnutls_session_t *ssl;
 145         new_F->type |= RB_FD_SSL;
 146         ssl = new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 147         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 148
 149         new_F->accept->callback = cb;
 150         new_F->accept->data = data;
 151         rb_settimeout(new_F, timeout, rb_ssl_timeout, NULL);
 152
 153         new_F->accept->addrlen = 0;
 154
 155         gnutls_init(ssl, GNUTLS_SERVER);
 156         gnutls_set_default_priority(*ssl);
 157         gnutls_credentials_set(*ssl, GNUTLS_CRD_CERTIFICATE, x509);
 158         gnutls_dh_set_prime_bits(*ssl, 1024);
 159         gnutls_transport_set_ptr(*ssl, (gnutls_transport_ptr_t) (long int)new_F->fd);
 160         gnutls_certificate_server_set_request(*ssl, GNUTLS_CERT_REQUEST);
 161         gnutls_priority_set(SSL_P(F), default_priority);
 162
 163         if(do_ssl_handshake(new_F, rb_ssl_tryaccept, NULL))
 164         {
 165                 struct acceptdata *ad = new_F->accept;
 166                 new_F->accept = NULL;
 167                 ad->callback(new_F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 168                 rb_free(ad);
 169         }
 170
 171 }
 172
 173
 174
 175
 176 void
 177 rb_ssl_accept_setup(rb_fde_t *F, rb_fde_t *new_F, struct sockaddr *st, int addrlen)
 178 {
 179         new_F->type |= RB_FD_SSL;
 180         new_F->ssl = rb_malloc(sizeof(gnutls_session_t));
 181         new_F->accept = rb_malloc(sizeof(struct acceptdata));
 182
 183         new_F->accept->callback = F->accept->callback;
 184         new_F->accept->data = F->accept->data;
 185         rb_settimeout(new_F, 10, rb_ssl_timeout, NULL);
 186         memcpy(&new_F->accept->S, st, addrlen);
 187         new_F->accept->addrlen = addrlen;
 188
 189         gnutls_init((gnutls_session_t *) new_F->ssl, GNUTLS_SERVER);
 190         gnutls_set_default_priority(SSL_P(new_F));
 191         gnutls_credentials_set(SSL_P(new_F), GNUTLS_CRD_CERTIFICATE, x509);
 192         gnutls_dh_set_prime_bits(SSL_P(new_F), 1024);
 193         gnutls_transport_set_ptr(SSL_P(new_F), (gnutls_transport_ptr_t) (long int)rb_get_fd(new_F));
 194         gnutls_certificate_server_set_request(SSL_P(new_F), GNUTLS_CERT_REQUEST);
 195         gnutls_priority_set(SSL_P(F), default_priority);
 196
 197         if(do_ssl_handshake(F, rb_ssl_tryaccept, NULL))
 198         {
 199                 struct acceptdata *ad = F->accept;
 200                 F->accept = NULL;
 201                 ad->callback(F, RB_OK, (struct sockaddr *)&ad->S, ad->addrlen, ad->data);
 202                 rb_free(ad);
 203         }
 204 }
 205
 206
 207
 208
 209 static ssize_t
 210 rb_ssl_read_or_write(int r_or_w, rb_fde_t *F, void *rbuf, const void *wbuf, size_t count)
 211 {
 212         ssize_t ret;
 213         gnutls_session_t *ssl = F->ssl;
 214
 215         if(r_or_w == 0)
 216                 ret = gnutls_record_recv(*ssl, rbuf, count);
 217         else
 218                 ret = gnutls_record_send(*ssl, wbuf, count);
 219
 220         if(ret < 0)
 221         {
 222                 switch (ret)
 223                 {
 224                 case GNUTLS_E_AGAIN:
 225                 case GNUTLS_E_INTERRUPTED:
 226                         if(rb_ignore_errno(errno))
 227                         {
 228                                 if(gnutls_record_get_direction(*ssl) == 0)
 229                                         return RB_RW_SSL_NEED_READ;
 230                                 else
 231                                         return RB_RW_SSL_NEED_WRITE;
 232                                 break;
 233                         }
 234                 default:
 235                         F->ssl_errno = ret;
 236                         errno = EIO;
 237                         return RB_RW_IO_ERROR;
 238                 }
 239         }
 240         return ret;
 241 }
 242
 243 ssize_t
 244 rb_ssl_read(rb_fde_t *F, void *buf, size_t count)
 245 {
 246         return rb_ssl_read_or_write(0, F, buf, NULL, count);
 247 }
 248
 249 ssize_t
 250 rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
 251 {
 252         return rb_ssl_read_or_write(1, F, NULL, buf, count);
 253 }
 254
 255 static void
 256 rb_gcry_random_seed(void *unused)
 257 {
 258 #if GNUTLS_VERSION_MAJOR < 3
 259         gcry_fast_random_poll();
 260 #endif
 261 }
 262
 263 int
 264 rb_init_ssl(void)
 265 {
 266         gnutls_global_init();
 267
 268         if(gnutls_certificate_allocate_credentials(&x509) != GNUTLS_E_SUCCESS)
 269         {
 270                 rb_lib_log("rb_init_ssl: Unable to allocate SSL/TLS certificate credentials");
 271                 return 0;
 272         }
 273
 274         /* This should be changed to gnutls_certificate_set_retrieve_function2 once
 275          * everyone in the world has upgraded to GnuTLS 3.
 276          */
 277         gnutls_certificate_client_set_retrieve_function(x509, cert_callback);
 278
 279         rb_event_addish("rb_gcry_random_seed", rb_gcry_random_seed, NULL, 300);
 280         return 1;
 281 }
 282
 283 /* We only have one certificate to authenticate with, as both client and server.  Unfortunately,
 284  * GnuTLS tries to be clever, and as client, will attempt to use a certificate that the server
 285  * will trust.  We usually use self-signed certs, though, so the result of this search is always
 286  * nothing.  Therefore, it uses no certificate to authenticate as a client.  This is undesirable
 287  * as it breaks fingerprint auth.  Thus, we use this callback to force GnuTLS to always
 288  * authenticate with our certificate at all times.
 289  */
 290 static int
 291 cert_callback(gnutls_session_t session, const gnutls_datum_t *req_ca_rdn, int nreqs,
 292         const gnutls_pk_algorithm_t *sign_algos, int sign_algos_len, gnutls_retr_st *st)
 293 {
 294         /* XXX - ugly hack. Tell GnuTLS to use the first (only) certificate we have for auth. */
 295         st->type = GNUTLS_CRT_X509;
 296         st->ncerts = x509_cert_count;
 297         st->cert.x509 = x509_cert;
 298         st->key.x509 = x509_key;
 299
 300         return 0;
 301 }
 302
 303 static void
 304 rb_free_datum_t(gnutls_datum_t * d)
 305 {
 306         rb_free(d->data);
 307         rb_free(d);
 308 }
 309
 310 static gnutls_datum_t *
 311 rb_load_file_into_datum_t(const char *file)
 312 {
 313         FILE *f;
 314         gnutls_datum_t *datum;
 315         struct stat fileinfo;
 316         if((f = fopen(file, "r")) == NULL)
 317                 return NULL;
 318         if(fstat(fileno(f), &fileinfo))
 319                 return NULL;
 320
 321         datum = rb_malloc(sizeof(gnutls_datum_t));
 322
 323         if(fileinfo.st_size > 131072)   /* deal with retards */
 324                 datum->size = 131072;
 325         else
 326                 datum->size = fileinfo.st_size;
 327
 328         datum->data = rb_malloc(datum->size + 1);
 329         fread(datum->data, datum->size, 1, f);
 330         fclose(f);
 331         return datum;
 332 }
 333
 334 int
 335 rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
 336 {
 337         int ret;
 338         const char *err;
 339         gnutls_datum_t *d_cert, *d_key;
 340         if(cert == NULL)
 341         {
 342                 rb_lib_log("rb_setup_ssl_server: No certificate file");
 343                 return 0;
 344         }
 345
 346         if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
 347         {
 348                 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
 349                 return 0;
 350         }
 351
 352         if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
 353         {
 354                 rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
 355                 return 0;
 356         }
 357
 358         /* In addition to creating the certificate set, we also need to store our cert elsewhere
 359          * so we can force GnuTLS to identify with it when acting as a client.
 360          */
 361         gnutls_x509_privkey_init(&x509_key);
 362         if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
 363         {
 364                 rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret));
 365                 return 0;
 366         }
 367
 368         x509_cert_count = MAX_CERTS;
 369         if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
 370                 GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0)
 371         {
 372                 rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret));
 373                 return 0;
 374         }
 375         x509_cert_count = ret;
 376
 377         if((ret =
 378             gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
 379                                                 GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
 380         {
 381                 rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
 382                            gnutls_strerror(ret));
 383                 return 0;
 384         }
 385
 386         rb_free_datum_t(d_cert);
 387         rb_free_datum_t(d_key);
 388
 389         if(dhfile != NULL)
 390         {
 391                 if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
 392                 {
 393                         gnutls_datum_t *data;
 394                         int xret;
 395                         data = rb_load_file_into_datum_t(dhfile);
 396                         if(data != NULL)
 397                         {
 398                                 xret = gnutls_dh_params_import_pkcs3(dh_params, data,
 399                                                                      GNUTLS_X509_FMT_PEM);
 400                                 if(xret < 0)
 401                                         rb_lib_log
 402                                                 ("rb_setup_ssl_server: Error parsing DH file: %s\n",
 403                                                  gnutls_strerror(xret));
 404                                 rb_free_datum_t(data);
 405                         }
 406                         gnutls_certificate_set_dh_params(x509, dh_params);
 407                 }
 408                 else
 409                         rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
 410         }
 411
 412         ret = gnutls_priority_init(&default_priority, cipher_list, &err);
 413         if (ret < 0)
 414         {
 415                 rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err);
 416                 gnutls_priority_init(&default_priority, NULL, &err);
 417                 return 1;
 418         }
 419
 420         return 1;
 421 }
 422
 423 int
 424 rb_ssl_listen(rb_fde_t *F, int backlog, int defer_accept)
 425 {
 426         int result;
 427
 428         result = rb_listen(F, backlog, defer_accept);
 429         F->type = RB_FD_SOCKET | RB_FD_LISTEN | RB_FD_SSL;
 430
 431         return result;
 432 }
 433
 434 struct ssl_connect
 435 {
 436         CNCB *callback;
 437         void *data;
 438         int timeout;
 439 };
 440
 441 static void
 442 rb_ssl_connect_realcb(rb_fde_t *F, int status, struct ssl_connect *sconn)
 443 {
 444         F->connect->callback = sconn->callback;
 445         F->connect->data = sconn->data;
 446         rb_free(sconn);
 447         rb_connect_callback(F, status);
 448 }
 449
 450 static void
 451 rb_ssl_tryconn_timeout_cb(rb_fde_t *F, void *data)
 452 {
 453         rb_ssl_connect_realcb(F, RB_ERR_TIMEOUT, data);
 454 }
 455
 456 static void
 457 rb_ssl_tryconn_cb(rb_fde_t *F, void *data)
 458 {
 459         struct ssl_connect *sconn = data;
 460         int ret;
 461
 462         ret = do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
 463
 464         switch (ret)
 465         {
 466         case -1:
 467                 rb_ssl_connect_realcb(F, RB_ERROR_SSL, sconn);
 468                 break;
 469         case 0:
 470                 /* do_ssl_handshake does the rb_setselect stuff */
 471                 return;
 472         default:
 473                 break;
 474
 475
 476         }
 477         rb_ssl_connect_realcb(F, RB_OK, sconn);
 478 }
 479
 480 static void
 481 rb_ssl_tryconn(rb_fde_t *F, int status, void *data)
 482 {
 483         struct ssl_connect *sconn = data;
 484         if(status != RB_OK)
 485         {
 486                 rb_ssl_connect_realcb(F, status, sconn);
 487                 return;
 488         }
 489
 490         F->type |= RB_FD_SSL;
 491
 492
 493         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 494         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 495         gnutls_init(F->ssl, GNUTLS_CLIENT);
 496         gnutls_set_default_priority(SSL_P(F));
 497         gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
 498         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 499         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 500         gnutls_priority_set(SSL_P(F), default_priority);
 501
 502         do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
 503 }
 504
 505 void
 506 rb_connect_tcp_ssl(rb_fde_t *F, struct sockaddr *dest,
 507                    struct sockaddr *clocal, int socklen, CNCB * callback, void *data, int timeout)
 508 {
 509         struct ssl_connect *sconn;
 510         if(F == NULL)
 511                 return;
 512
 513         sconn = rb_malloc(sizeof(struct ssl_connect));
 514         sconn->data = data;
 515         sconn->callback = callback;
 516         sconn->timeout = timeout;
 517         rb_connect_tcp(F, dest, clocal, socklen, rb_ssl_tryconn, sconn, timeout);
 518
 519 }
 520
 521 void
 522 rb_ssl_start_connected(rb_fde_t *F, CNCB * callback, void *data, int timeout)
 523 {
 524         struct ssl_connect *sconn;
 525         if(F == NULL)
 526                 return;
 527
 528         sconn = rb_malloc(sizeof(struct ssl_connect));
 529         sconn->data = data;
 530         sconn->callback = callback;
 531         sconn->timeout = timeout;
 532         F->connect = rb_malloc(sizeof(struct conndata));
 533         F->connect->callback = callback;
 534         F->connect->data = data;
 535         F->type |= RB_FD_SSL;
 536         F->ssl = rb_malloc(sizeof(gnutls_session_t));
 537
 538         gnutls_init(F->ssl, GNUTLS_CLIENT);
 539         gnutls_set_default_priority(SSL_P(F));
 540         gnutls_credentials_set(SSL_P(F), GNUTLS_CRD_CERTIFICATE, x509);
 541         gnutls_dh_set_prime_bits(SSL_P(F), 1024);
 542         gnutls_transport_set_ptr(SSL_P(F), (gnutls_transport_ptr_t) (long int)F->fd);
 543         gnutls_priority_set(SSL_P(F), default_priority);
 544
 545         rb_settimeout(F, sconn->timeout, rb_ssl_tryconn_timeout_cb, sconn);
 546
 547         do_ssl_handshake(F, rb_ssl_tryconn_cb, (void *)sconn);
 548 }
 549
 550 int
 551 rb_init_prng(const char *path, prng_seed_t seed_type)
 552 {
 553 #if GNUTLS_VERSION_MAJOR < 3
 554         gcry_fast_random_poll();
 555 #else
 556         gnutls_rnd_refresh();
 557 #endif
 558         return 1;
 559 }
 560
 561 int
 562 rb_get_random(void *buf, size_t length)
 563 {
 564 #if GNUTLS_VERSION_MAJOR < 3
 565         gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
 566 #else
 567         gnutls_rnd(GNUTLS_RND_KEY, buf, length);
 568 #endif
 569         return 1;
 570 }
 571
 572 const char *
 573 rb_get_ssl_strerror(rb_fde_t *F)
 574 {
 575         return gnutls_strerror(F->ssl_errno);
 576 }
 577
 578 int
 579 rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
 580 {
 581         gnutls_x509_crt_t cert;
 582         gnutls_digest_algorithm_t algo;
 583         unsigned int cert_list_size;
 584         const gnutls_datum_t *cert_list;
 585         uint8_t digest[RB_SSL_CERTFP_LEN * 2];
 586         size_t digest_size;
 587         int len;
 588
 589         if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
 590                 return 0;
 591
 592         if (gnutls_x509_crt_init(&cert) < 0)
 593                 return 0;
 594
 595         cert_list_size = 0;
 596         cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
 597         if (cert_list == NULL)
 598         {
 599                 gnutls_x509_crt_deinit(cert);
 600                 return 0;
 601         }
 602
 603         if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
 604         {
 605                 gnutls_x509_crt_deinit(cert);
 606                 return 0;
 607         }
 608
 609         switch(method)
 610         {
 611         case RB_SSL_CERTFP_METH_SHA1:
 612                 algo = GNUTLS_DIG_SHA1;
 613                 len = RB_SSL_CERTFP_LEN_SHA1;
 614                 break;
 615         case RB_SSL_CERTFP_METH_SHA256:
 616                 algo = GNUTLS_DIG_SHA256;
 617                 len = RB_SSL_CERTFP_LEN_SHA256;
 618                 break;
 619         case RB_SSL_CERTFP_METH_SHA512:
 620                 algo = GNUTLS_DIG_SHA512;
 621                 len = RB_SSL_CERTFP_LEN_SHA512;
 622                 break;
 623         default:
 624                 return 0;
 625         }
 626
 627         if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
 628         {
 629                 gnutls_x509_crt_deinit(cert);
 630                 return 0;
 631         }
 632
 633         memcpy(certfp, digest, len);
 634
 635         gnutls_x509_crt_deinit(cert);
 636         return len;
 637 }
 638
 639 int
 640 rb_supports_ssl(void)
 641 {
 642         return 1;
 643 }
 644
 645 void
 646 rb_get_ssl_info(char *buf, size_t len)
 647 {
 648         rb_snprintf(buf, len, "GNUTLS: compiled (%s), library(%s)",
 649                     LIBGNUTLS_VERSION, gnutls_check_version(NULL));
 650 }
 651
 652 const char *
 653 rb_ssl_get_cipher(rb_fde_t *F)
 654 {
 655         static char buf[1024];
 656
 657         rb_snprintf(buf, sizeof(buf), "%s-%s-%s-%s",
 658                 gnutls_protocol_get_name(gnutls_protocol_get_version(SSL_P(F))),
 659                 gnutls_kx_get_name(gnutls_kx_get(SSL_P(F))),
 660                 gnutls_cipher_get_name(gnutls_cipher_get(SSL_P(F))),
 661                 gnutls_mac_get_name(gnutls_mac_get(SSL_P(F))));
 662
 663         return buf;
 664 }
 665
 666 #endif /* HAVE_GNUTLS */