Add certfp support to libratbox and ssld.

This lets a user connect with a client certificate, and
passes the certificate's fingerprint to ircd, which
currently just notices it to the user.

A new ssld->ircd message 'F' is used to pass on the
fingerprint.

This is only for OpenSSL for now, not GNUTLS.
This commit is contained in:
Jilles Tjoelker 2010-01-31 19:04:20 +01:00
parent 47f9d6002a
commit 7247337afa
6 changed files with 83 additions and 0 deletions

View file

@ -100,6 +100,8 @@ void rb_note(rb_fde_t *, const char *);
#define RB_SELECT_ACCEPT RB_SELECT_READ #define RB_SELECT_ACCEPT RB_SELECT_READ
#define RB_SELECT_CONNECT RB_SELECT_WRITE #define RB_SELECT_CONNECT RB_SELECT_WRITE
#define RB_SSL_CERTFP_LEN 20
int rb_set_nb(rb_fde_t *); int rb_set_nb(rb_fde_t *);
int rb_set_buffers(rb_fde_t *, int); int rb_set_buffers(rb_fde_t *, int);
@ -141,6 +143,7 @@ int rb_select(unsigned long);
int rb_fd_ssl(rb_fde_t *F); int rb_fd_ssl(rb_fde_t *F);
int rb_get_fd(rb_fde_t *F); int rb_get_fd(rb_fde_t *F);
const char *rb_get_ssl_strerror(rb_fde_t *F); const char *rb_get_ssl_strerror(rb_fde_t *F);
int rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN]);
rb_fde_t *rb_get_fde(int fd); rb_fde_t *rb_get_fde(int fd);

View file

@ -496,6 +496,13 @@ rb_get_ssl_strerror(rb_fde_t *F)
return gnutls_strerror(F->ssl_errno); return gnutls_strerror(F->ssl_errno);
} }
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
/* XXX implement this for gnutls */
return 0;
}
int int
rb_supports_ssl(void) rb_supports_ssl(void)
{ {

View file

@ -100,6 +100,12 @@ rb_get_ssl_strerror(rb_fde_t *F)
return nosupport; return nosupport;
} }
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
return 0;
}
void void
rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout) rb_ssl_start_accepted(rb_fde_t *new_F, ACCB * cb, void *data, int timeout)
{ {

View file

@ -281,6 +281,12 @@ rb_ssl_write(rb_fde_t *F, const void *buf, size_t count)
return rb_ssl_read_or_write(1, F, NULL, buf, count); return rb_ssl_read_or_write(1, F, NULL, buf, count);
} }
static int
verify_accept_all_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
return 1;
}
int int
rb_init_ssl(void) rb_init_ssl(void)
{ {
@ -298,6 +304,7 @@ rb_init_ssl(void)
} }
/* Disable SSLv2, make the client use our settings */ /* Disable SSLv2, make the client use our settings */
SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method()); ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
@ -605,6 +612,32 @@ rb_get_ssl_strerror(rb_fde_t *F)
return ERR_error_string(F->ssl_errno, NULL); return ERR_error_string(F->ssl_errno, NULL);
} }
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN])
{
X509 *cert;
int res;
if (F->ssl == NULL)
return 0;
cert = SSL_get_peer_certificate((SSL *) F->ssl);
if(cert != NULL)
{
res = SSL_get_verify_result((SSL *) F->ssl);
if(res == X509_V_OK ||
res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
{
memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
return 1;
}
}
return 0;
}
int int
rb_supports_ssl(void) rb_supports_ssl(void)
{ {

View file

@ -402,6 +402,29 @@ ssl_process_dead_fd(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
exit_client(client_p, client_p, &me, reason); exit_client(client_p, client_p, &me, reason);
} }
static void
ssl_process_certfp(ssl_ctl_t * ctl, ssl_ctl_buf_t * ctl_buf)
{
struct Client *client_p;
int32_t fd;
uint8_t *certfp;
char certfp_string[RB_SSL_CERTFP_LEN * 2 + 1];
int i;
if(ctl_buf->buflen != 5 + RB_SSL_CERTFP_LEN)
return; /* bogus message..drop it.. XXX should warn here */
fd = buf_to_int32(&ctl_buf->buf[1]);
certfp = (uint8_t *)&ctl_buf->buf[5];
client_p = find_cli_fd_hash(fd);
if(client_p == NULL)
return;
for(i = 0; i < RB_SSL_CERTFP_LEN; i++)
rb_snprintf(certfp_string + 2 * i, 3, "%02x",
certfp[i]);
sendto_one_notice(client_p, ":*** CertFP is %s", certfp_string);
}
static void static void
ssl_process_cmd_recv(ssl_ctl_t * ctl) ssl_process_cmd_recv(ssl_ctl_t * ctl)
{ {
@ -422,6 +445,9 @@ ssl_process_cmd_recv(ssl_ctl_t * ctl)
case 'D': case 'D':
ssl_process_dead_fd(ctl, ctl_buf); ssl_process_dead_fd(ctl, ctl_buf);
break; break;
case 'F':
ssl_process_certfp(ctl, ctl_buf);
break;
case 'S': case 'S':
ssl_process_zipstats(ctl, ctl_buf); ssl_process_zipstats(ctl, ctl_buf);
break; break;

View file

@ -679,8 +679,16 @@ static void
ssl_process_accept_cb(rb_fde_t *F, int status, struct sockaddr *addr, rb_socklen_t len, void *data) ssl_process_accept_cb(rb_fde_t *F, int status, struct sockaddr *addr, rb_socklen_t len, void *data)
{ {
conn_t *conn = data; conn_t *conn = data;
char buf[5 + RB_SSL_CERTFP_LEN];
if(status == RB_OK) if(status == RB_OK)
{ {
if(rb_get_ssl_certfp(F, &buf[5]))
{
buf[0] = 'F';
int32_to_buf(&buf[1], conn->id);
mod_cmd_write_queue(conn->ctl, buf, sizeof buf);
}
conn_mod_read_cb(conn->mod_fd, conn); conn_mod_read_cb(conn->mod_fd, conn);
conn_plain_read_cb(conn->plain_fd, conn); conn_plain_read_cb(conn->plain_fd, conn);
return; return;