1 | /********************************************************************\ |
---|
2 | * BitlBee -- An IRC to other IM-networks gateway * |
---|
3 | * * |
---|
4 | * Copyright 2002-2004 Wilmer van der Gaast and others * |
---|
5 | \********************************************************************/ |
---|
6 | |
---|
7 | /* SSL module */ |
---|
8 | |
---|
9 | /* |
---|
10 | This program is free software; you can redistribute it and/or modify |
---|
11 | it under the terms of the GNU General Public License as published by |
---|
12 | the Free Software Foundation; either version 2 of the License, or |
---|
13 | (at your option) any later version. |
---|
14 | |
---|
15 | This program is distributed in the hope that it will be useful, |
---|
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
18 | GNU General Public License for more details. |
---|
19 | |
---|
20 | You should have received a copy of the GNU General Public License with |
---|
21 | the Debian GNU/Linux distribution in /usr/share/common-licenses/GPL; |
---|
22 | if not, write to the Free Software Foundation, Inc., 51 Franklin St., |
---|
23 | Fifth Floor, Boston, MA 02110-1301 USA |
---|
24 | */ |
---|
25 | |
---|
26 | /* ssl_client makes it easier to open SSL connections to servers. (It |
---|
27 | doesn't offer SSL server functionality yet, but it could be useful |
---|
28 | to add it later.) Different ssl_client modules are available, and |
---|
29 | ssl_client tries to make them all behave the same. It's very simple |
---|
30 | and basic, it just imitates the proxy_connect() function from the |
---|
31 | Gaim libs and passes the socket to the program once the handshake |
---|
32 | is completed. */ |
---|
33 | |
---|
34 | #include <glib.h> |
---|
35 | #include "proxy.h" |
---|
36 | |
---|
37 | /* Some generic error codes. Especially SSL_AGAIN is important if you |
---|
38 | want to do asynchronous I/O. */ |
---|
39 | #define SSL_OK 0 |
---|
40 | #define SSL_NOHANDSHAKE 1 |
---|
41 | #define SSL_AGAIN 2 |
---|
42 | #define VERIFY_CERT_ERROR 2 |
---|
43 | #define VERIFY_CERT_INVALID 4 |
---|
44 | #define VERIFY_CERT_REVOKED 8 |
---|
45 | #define VERIFY_CERT_SIGNER_NOT_FOUND 16 |
---|
46 | #define VERIFY_CERT_SIGNER_NOT_CA 32 |
---|
47 | #define VERIFY_CERT_INSECURE_ALGORITHM 64 |
---|
48 | #define VERIFY_CERT_NOT_ACTIVATED 128 |
---|
49 | #define VERIFY_CERT_EXPIRED 256 |
---|
50 | #define VERIFY_CERT_WRONG_HOSTNAME 512 |
---|
51 | |
---|
52 | extern int ssl_errno; |
---|
53 | |
---|
54 | /* This is what your callback function should look like. */ |
---|
55 | typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition); |
---|
56 | |
---|
57 | |
---|
58 | /* Perform any global initialization the SSL library might need. */ |
---|
59 | G_MODULE_EXPORT void ssl_init(void); |
---|
60 | |
---|
61 | /* Connect to host:port, call the given function when the connection is |
---|
62 | ready to be used for SSL traffic. This is all done asynchronously, no |
---|
63 | blocking I/O! (Except for the DNS lookups, for now...) */ |
---|
64 | G_MODULE_EXPORT void *ssl_connect(char *host, int port, gboolean verify, ssl_input_function func, gpointer data); |
---|
65 | |
---|
66 | /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, |
---|
67 | for example in Jabber. */ |
---|
68 | G_MODULE_EXPORT void *ssl_starttls(int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data); |
---|
69 | |
---|
70 | /* Obviously you need special read/write functions to read data. */ |
---|
71 | G_MODULE_EXPORT int ssl_read(void *conn, char *buf, int len); |
---|
72 | G_MODULE_EXPORT int ssl_write(void *conn, const char *buf, int len); |
---|
73 | |
---|
74 | /* Now needed by most SSL libs. See for more info: |
---|
75 | http://www.gnu.org/software/gnutls/manual/gnutls.html#index-gnutls_005frecord_005fcheck_005fpending-209 |
---|
76 | http://www.openssl.org/docs/ssl/SSL_pending.html |
---|
77 | |
---|
78 | Required because OpenSSL empties the TCP buffer completely but doesn't |
---|
79 | necessarily give us all the unencrypted data. Or maybe you didn't ask |
---|
80 | for all of it because your buffer is too small. |
---|
81 | |
---|
82 | Returns 0 if there's nothing left, 1 if there's more data. */ |
---|
83 | G_MODULE_EXPORT int ssl_pending(void *conn); |
---|
84 | |
---|
85 | /* Abort the SSL connection and disconnect the socket. Do not use close() |
---|
86 | directly, both the SSL library and the peer will be unhappy! */ |
---|
87 | G_MODULE_EXPORT void ssl_disconnect(void *conn_); |
---|
88 | |
---|
89 | /* Get the fd for this connection, you will usually need it for event |
---|
90 | handling. */ |
---|
91 | G_MODULE_EXPORT int ssl_getfd(void *conn); |
---|
92 | |
---|
93 | /* This function returns B_EV_IO_READ/WRITE. With SSL connections it's |
---|
94 | possible that something has to be read while actually were trying to |
---|
95 | write something (think about key exchange/refresh/etc). So when an |
---|
96 | SSL operation returned SSL_AGAIN, *always* use this function when |
---|
97 | adding an event handler to the queue. (And it should perform exactly |
---|
98 | the same action as the handler that just received the SSL_AGAIN.) */ |
---|
99 | G_MODULE_EXPORT b_input_condition ssl_getdirection(void *conn); |
---|
100 | |
---|
101 | /* Converts a verification bitfield passed to ssl_input_function into |
---|
102 | a more useful string. Or NULL if it had no useful bits set. */ |
---|
103 | G_MODULE_EXPORT char *ssl_verify_strerror(int code); |
---|
104 | |
---|
105 | G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, |
---|
106 | size_t input_len, const unsigned char *iv, unsigned char **res); |
---|