mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-10 04:23:12 +02:00
Mass rename of "ssl" to "tls" everywhere. Including conf/ssl to
conf/tls. If you are upgrading then conf/ssl will be renamed to conf/tls and a symlink will be added (so certbot etc won't fail). This is part 1...
This commit is contained in:
@@ -105,7 +105,7 @@ echo $CONF
|
||||
$CONF || exit 1
|
||||
cd "$UNREALCWD"
|
||||
if [ "$QUICK" != "1" ] ; then
|
||||
if [ ! -f $CONFDIR/ssl/server.cert.pem ]; then
|
||||
if [ ! -f $CONFDIR/tls/server.cert.pem -a ! -f $CONFDIR/ssl/server.cert.pem ]; then
|
||||
export OPENSSLPATH
|
||||
TEST=""
|
||||
while [ -z "$TEST" ] ; do
|
||||
@@ -142,10 +142,10 @@ if [ "$GENCERTIFICATE" = 1 ]; then
|
||||
sleep 1
|
||||
else
|
||||
echo "Ok, not generating SSL certificate. Make sure that the certificate and key"
|
||||
echo "are installed in conf/ssl/server.crt.pem and conf/ssl/server.key.pem prior to starting the IRCd."
|
||||
echo "are installed in conf/tls/server.crt.pem and conf/tls/server.key.pem prior to starting the IRCd."
|
||||
fi
|
||||
else
|
||||
echo "SSL certificate exists in $CONFDIR/ssl/server.cert.pem, no need to regenerate."
|
||||
echo "SSL certificate already exists in configuration directory, no need to regenerate."
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
+9
-2
@@ -193,8 +193,6 @@ install: all
|
||||
$(INSTALL) -m 0600 doc/conf/help/*.conf @CONFDIR@/help
|
||||
$(INSTALL) -m 0700 -d @CONFDIR@/examples
|
||||
$(INSTALL) -m 0600 doc/conf/examples/*.conf @CONFDIR@/examples
|
||||
$(INSTALL) -m 0700 -d @CONFDIR@/ssl
|
||||
$(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl
|
||||
$(INSTALL) -m 0700 unrealircd @SCRIPTDIR@
|
||||
$(INSTALL) -m 0700 -d @MODULESDIR@
|
||||
$(INSTALL) -m 0700 src/modules/*.so @MODULESDIR@
|
||||
@@ -206,6 +204,15 @@ install: all
|
||||
$(INSTALL) -m 0700 src/modules/snomasks/*.so @MODULESDIR@/snomasks
|
||||
$(INSTALL) -m 0700 -d @MODULESDIR@/extbans
|
||||
$(INSTALL) -m 0700 src/modules/extbans/*.so @MODULESDIR@/extbans
|
||||
@#If the conf/ssl directory exists then rename it here to conf/tls
|
||||
@#and add a symlink for backwards compatibility (so that f.e. certbot
|
||||
@#doesn't randomly fail after an upgrade to U5).
|
||||
-@if [ -d "@CONFDIR@/ssl" ] ; then \
|
||||
mv "@CONFDIR@/ssl" "@CONFDIR@/tls" ; \
|
||||
ln -s "@CONFDIR@/tls" "@CONFDIR@/ssl" ; \
|
||||
fi
|
||||
$(INSTALL) -m 0700 -d @CONFDIR@/tls
|
||||
$(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl
|
||||
@# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades:
|
||||
rm -rf @MODULESDIR@/cap
|
||||
$(INSTALL) -m 0700 -d @MODULESDIR@/third
|
||||
|
||||
+4
-4
@@ -63,7 +63,7 @@ struct zConfiguration {
|
||||
unsigned ident_check:1;
|
||||
unsigned fail_oper_warn:1;
|
||||
unsigned show_connect_info:1;
|
||||
unsigned no_connect_ssl_info:1;
|
||||
unsigned no_connect_tls_info:1;
|
||||
unsigned dont_resolve:1;
|
||||
unsigned use_ban_version:1;
|
||||
unsigned mkpasswd_for_everyone:1;
|
||||
@@ -93,7 +93,7 @@ struct zConfiguration {
|
||||
char *egd_path;
|
||||
char *static_quit;
|
||||
char *static_part;
|
||||
SSLOptions *ssl_options;
|
||||
TLSOptions *tls_options;
|
||||
Policy plaintext_policy_user;
|
||||
char *plaintext_policy_user_message;
|
||||
Policy plaintext_policy_oper;
|
||||
@@ -194,7 +194,7 @@ extern MODVAR int ipv6_disabled;
|
||||
#define IDENT_CHECK iConf.ident_check
|
||||
#define FAILOPER_WARN iConf.fail_oper_warn
|
||||
#define SHOWCONNECTINFO iConf.show_connect_info
|
||||
#define NOCONNECTSSLINFO iConf.no_connect_ssl_info
|
||||
#define NOCONNECTSSLINFO iConf.no_connect_tls_info
|
||||
#define OPER_ONLY_STATS iConf.oper_only_stats
|
||||
#define ANTI_SPAM_QUIT_MSG_TIME iConf.anti_spam_quit_message_time
|
||||
#ifdef HAVE_RAND_EGD
|
||||
@@ -360,7 +360,7 @@ struct SetCheck {
|
||||
unsigned has_options_fail_oper_warn:1;
|
||||
unsigned has_options_dont_resolve:1;
|
||||
unsigned has_options_show_connect_info:1;
|
||||
unsigned has_options_no_connect_ssl_info:1;
|
||||
unsigned has_options_no_connect_tls_info:1;
|
||||
unsigned has_options_mkpasswd_for_everyone:1;
|
||||
unsigned has_options_allow_insane_bans:1;
|
||||
unsigned has_options_allow_part_if_shunned:1;
|
||||
|
||||
+2
-2
@@ -526,7 +526,7 @@ extern time_t rfc2time(char *s);
|
||||
extern char *rfctime(time_t t, char *buf);
|
||||
extern void *MyMallocEx(size_t size);
|
||||
extern MODFUNC char *ssl_get_cipher(SSL *ssl);
|
||||
extern SSLOptions *get_ssl_options_for_client(aClient *acptr);
|
||||
extern TLSOptions *get_tls_options_for_client(aClient *acptr);
|
||||
extern int outdated_tls_client(aClient *acptr);
|
||||
extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr);
|
||||
extern long config_checkval(char *value, unsigned short flags);
|
||||
@@ -815,7 +815,7 @@ extern int has_common_channels(aClient *c1, aClient *c2);
|
||||
extern int user_can_see_member(aClient *user, aClient *target, aChannel *chptr);
|
||||
extern int invisible_user_in_channel(aClient *target, aChannel *chptr);
|
||||
extern MODVAR int ssl_client_index;
|
||||
extern SSLOptions *FindSSLOptionsForUser(aClient *acptr);
|
||||
extern TLSOptions *FindTLSOptionsForUser(aClient *acptr);
|
||||
extern int IsWebsocket(aClient *acptr);
|
||||
extern Policy policy_strtoval(char *s);
|
||||
extern char *policy_valtostr(Policy policy);
|
||||
|
||||
+6
-6
@@ -12,11 +12,11 @@ extern int ircd_SSL_connect(aClient *acptr, int fd);
|
||||
extern int SSL_smart_shutdown(SSL *ssl);
|
||||
extern void ircd_SSL_client_handshake(int, int, void *);
|
||||
extern void SSL_set_nonblocking(SSL *s);
|
||||
extern SSL_CTX *init_ctx(SSLOptions *ssloptions, int server);
|
||||
extern SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server);
|
||||
|
||||
#define SSL_PROTOCOL_TLSV1 0x0001
|
||||
#define SSL_PROTOCOL_TLSV1_1 0x0002
|
||||
#define SSL_PROTOCOL_TLSV1_2 0x0004
|
||||
#define SSL_PROTOCOL_TLSV1_3 0x0008
|
||||
#define TLS_PROTOCOL_TLSV1 0x0001
|
||||
#define TLS_PROTOCOL_TLSV1_1 0x0002
|
||||
#define TLS_PROTOCOL_TLSV1_2 0x0004
|
||||
#define TLS_PROTOCOL_TLSV1_3 0x0008
|
||||
|
||||
#define SSL_PROTOCOL_ALL 0xffff
|
||||
#define TLS_PROTOCOL_ALL 0xffff
|
||||
|
||||
+30
-30
@@ -247,9 +247,9 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
|
||||
|
||||
#define STAT_LOG -7 /* logfile for -x */
|
||||
#define STAT_CONNECTING -6
|
||||
#define STAT_SSL_STARTTLS_HANDSHAKE -8
|
||||
#define STAT_SSL_CONNECT_HANDSHAKE -5
|
||||
#define STAT_SSL_ACCEPT_HANDSHAKE -4
|
||||
#define STAT_TLS_STARTTLS_HANDSHAKE -8
|
||||
#define STAT_TLS_CONNECT_HANDSHAKE -5
|
||||
#define STAT_TLS_ACCEPT_HANDSHAKE -4
|
||||
#define STAT_HANDSHAKE -3
|
||||
#define STAT_ME -2
|
||||
#define STAT_UNKNOWN -1
|
||||
@@ -264,18 +264,18 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
|
||||
#define IsConnecting(x) ((x)->status == STAT_CONNECTING)
|
||||
#define IsHandshake(x) ((x)->status == STAT_HANDSHAKE)
|
||||
#define IsMe(x) ((x)->status == STAT_ME)
|
||||
#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE))
|
||||
#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE))
|
||||
#define IsServer(x) ((x)->status == STAT_SERVER)
|
||||
#define IsClient(x) ((x)->status == STAT_CLIENT)
|
||||
#define IsLog(x) ((x)->status == STAT_LOG)
|
||||
|
||||
#define IsSSLStartTLSHandshake(x) ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE)
|
||||
#define IsSSLAcceptHandshake(x) ((x)->status == STAT_SSL_ACCEPT_HANDSHAKE)
|
||||
#define IsSSLConnectHandshake(x) ((x)->status == STAT_SSL_CONNECT_HANDSHAKE)
|
||||
#define IsSSLHandshake(x) (IsSSLAcceptHandshake(x) || IsSSLConnectHandshake(x) | IsSSLStartTLSHandshake(x))
|
||||
#define SetSSLStartTLSHandshake(x) ((x)->status = STAT_SSL_STARTTLS_HANDSHAKE)
|
||||
#define SetSSLAcceptHandshake(x) ((x)->status = STAT_SSL_ACCEPT_HANDSHAKE)
|
||||
#define SetSSLConnectHandshake(x) ((x)->status = STAT_SSL_CONNECT_HANDSHAKE)
|
||||
#define IsStartTLSHandshake(x) ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE)
|
||||
#define IsTLSAcceptHandshake(x) ((x)->status == STAT_TLS_ACCEPT_HANDSHAKE)
|
||||
#define IsTLSConnectHandshake(x) ((x)->status == STAT_TLS_CONNECT_HANDSHAKE)
|
||||
#define IsTLSHandshake(x) (IsTLSAcceptHandshake(x) || IsTLSConnectHandshake(x) | IsStartTLSHandshake(x))
|
||||
#define SetStartTLSHandshake(x) ((x)->status = STAT_TLS_STARTTLS_HANDSHAKE)
|
||||
#define SetTLSAcceptHandshake(x) ((x)->status = STAT_TLS_ACCEPT_HANDSHAKE)
|
||||
#define SetTLSConnectHandshake(x) ((x)->status = STAT_TLS_CONNECT_HANDSHAKE)
|
||||
|
||||
#define SetConnecting(x) ((x)->status = STAT_CONNECTING)
|
||||
#define SetHandshake(x) ((x)->status = STAT_HANDSHAKE)
|
||||
@@ -312,7 +312,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
|
||||
#define FLAGS_DCCNOTICE 0x00100000 /* Has the user seen a notice on how to use DCCALLOW already? */
|
||||
#define FLAGS_SHUNNED 0x00200000 /* Connection is shunned */
|
||||
#define FLAGS_VIRUS 0x00400000 /* Tagged by spamfilter */
|
||||
#define FLAGS_SSL 0x00800000 /* Connection is using SSL/TLS */
|
||||
#define FLAGS_TLS 0x00800000 /* Connection is using SSL/TLS */
|
||||
#define FLAGS_NOFAKELAG 0x01000000 /* Exemption from fake lag */
|
||||
#define FLAGS_DCCBLOCK 0x02000000 /* Block all DCC send requests */
|
||||
#define FLAGS_MAP 0x04000000 /* Show this entry in /MAP */
|
||||
@@ -388,7 +388,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
|
||||
#define IsVirus(x) ((x)->flags & FLAGS_VIRUS)
|
||||
#define SetVirus(x) ((x)->flags |= FLAGS_VIRUS)
|
||||
#define ClearVirus(x) ((x)->flags &= ~FLAGS_VIRUS)
|
||||
#define IsSecure(x) ((x)->flags & FLAGS_SSL)
|
||||
#define IsSecure(x) ((x)->flags & FLAGS_TLS)
|
||||
|
||||
/* Fake lag exception */
|
||||
#define IsNoFakeLag(x) ((x)->flags & FLAGS_NOFAKELAG)
|
||||
@@ -398,7 +398,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
|
||||
#define IsHidden(x) ((x)->umodes & UMODE_HIDE)
|
||||
#define IsSetHost(x) ((x)->umodes & UMODE_SETHOST)
|
||||
#define IsHideOper(x) ((x)->umodes & UMODE_HIDEOPER)
|
||||
#define IsSSL(x) IsSecure(x)
|
||||
#define IsTLS(x) IsSecure(x)
|
||||
#define IsNotSpoof(x) ((x)->local->nospoof == 0)
|
||||
|
||||
#define GetHost(x) (IsHidden(x) ? (x)->user->virthost : (x)->user->realhost)
|
||||
@@ -825,13 +825,13 @@ extern void unload_all_unused_moddata(void);
|
||||
#define LISTENER_NORMAL 0x000001
|
||||
#define LISTENER_CLIENTSONLY 0x000002
|
||||
#define LISTENER_SERVERSONLY 0x000004
|
||||
#define LISTENER_SSL 0x000010
|
||||
#define LISTENER_TLS 0x000010
|
||||
#define LISTENER_BOUND 0x000020
|
||||
#define LISTENER_DEFER_ACCEPT 0x000040
|
||||
|
||||
#define IsServersOnlyListener(x) ((x) && ((x)->options & LISTENER_SERVERSONLY))
|
||||
|
||||
#define CONNECT_SSL 0x000001
|
||||
#define CONNECT_TLS 0x000001
|
||||
//0x000002 unused (was ziplinks)
|
||||
#define CONNECT_AUTO 0x000004
|
||||
#define CONNECT_QUARANTINE 0x000008
|
||||
@@ -839,9 +839,9 @@ extern void unload_all_unused_moddata(void);
|
||||
#define CONNECT_NOHOSTCHECK 0x000020
|
||||
#define CONNECT_INSECURE 0x000040
|
||||
|
||||
#define SSLFLAG_FAILIFNOCERT 0x1
|
||||
#define SSLFLAG_NOSTARTTLS 0x8
|
||||
#define SSLFLAG_DISABLECLIENTCERT 0x10
|
||||
#define TLSFLAG_FAILIFNOCERT 0x1
|
||||
#define TLSFLAG_NOSTARTTLS 0x8
|
||||
#define TLSFLAG_DISABLECLIENTCERT 0x10
|
||||
|
||||
struct Client {
|
||||
struct list_head client_node; /* for global client list (client_list) */
|
||||
@@ -1090,7 +1090,7 @@ struct _configitem_class {
|
||||
struct _configflag_allow {
|
||||
unsigned noident :1;
|
||||
unsigned useip :1;
|
||||
unsigned ssl :1;
|
||||
unsigned tls :1;
|
||||
};
|
||||
|
||||
struct _configitem_allow {
|
||||
@@ -1167,13 +1167,13 @@ struct _configitem_oper {
|
||||
int maxlogins;
|
||||
};
|
||||
|
||||
/** The SSL options that are used in set::ssl and otherblocks::ssl-options.
|
||||
/** The SSL/TLS options that are used in set::tls and otherblocks::tls-options.
|
||||
* NOTE: If you add something here then you must also update the
|
||||
* conf_sslblock() function in s_conf.c to have it inherited
|
||||
* from set::ssl to the other config blocks!
|
||||
* conf_tlsblock() function in s_conf.c to have it inherited
|
||||
* from set::tls to the other config blocks!
|
||||
*/
|
||||
typedef struct _ssloptions SSLOptions;
|
||||
struct _ssloptions {
|
||||
typedef struct _tlsoptions TLSOptions;
|
||||
struct _tlsoptions {
|
||||
char *certificate_file;
|
||||
char *key_file;
|
||||
char *dh_file;
|
||||
@@ -1209,7 +1209,7 @@ struct _configitem_ulines {
|
||||
char *servername;
|
||||
};
|
||||
|
||||
#define TLD_SSL 0x1
|
||||
#define TLD_TLS 0x1
|
||||
#define TLD_REMOTE 0x2
|
||||
|
||||
struct _configitem_tld {
|
||||
@@ -1231,7 +1231,7 @@ struct _configitem_listen {
|
||||
int fd;
|
||||
int ipv6;
|
||||
SSL_CTX *ssl_ctx;
|
||||
SSLOptions *ssl_options;
|
||||
TLSOptions *tls_options;
|
||||
};
|
||||
|
||||
struct _configitem_sni {
|
||||
@@ -1239,7 +1239,7 @@ struct _configitem_sni {
|
||||
ConfigFlag flag;
|
||||
char *name;
|
||||
SSL_CTX *ssl_ctx;
|
||||
SSLOptions *ssl_options;
|
||||
TLSOptions *tls_options;
|
||||
};
|
||||
|
||||
struct _configitem_vhost {
|
||||
@@ -1263,7 +1263,7 @@ struct _configitem_link {
|
||||
char *bind_ip; /**< Our IP to bind to when doing the connect */
|
||||
char *hostname; /**< Hostname or IP to connect to */
|
||||
int port; /**< Port to connect to */
|
||||
int options; /**< Connect options like ssl or autoconnect */
|
||||
int options; /**< Connect options like tls or autoconnect */
|
||||
} outgoing;
|
||||
anAuthStruct *auth; /**< authentication method (eg: password) */
|
||||
char *hub; /**< Hub mask */
|
||||
@@ -1277,7 +1277,7 @@ struct _configitem_link {
|
||||
time_t hold; /**< For how long the server is "on hold" for outgoing connects (why?) */
|
||||
char *connect_ip; /**< actual IP to use for outgoing connect (filled in after host is resolved) */
|
||||
SSL_CTX *ssl_ctx; /**< SSL Context for outgoing connection (optional) */
|
||||
SSLOptions *ssl_options; /**< SSL Options for outgoing connection (optional) */
|
||||
TLSOptions *tls_options; /**< SSL Options for outgoing connection (optional) */
|
||||
};
|
||||
|
||||
struct _configitem_except {
|
||||
|
||||
@@ -432,7 +432,7 @@ void close_listener(ConfigItem_listen *listener)
|
||||
ircd_log(LOG_ERROR, "IRCd no longer listening on %s:%d (%s)%s",
|
||||
listener->ip, listener->port,
|
||||
listener->ipv6 ? "IPv6" : "IPv4",
|
||||
listener->options & LISTENER_SSL ? " (SSL)" : "");
|
||||
listener->options & LISTENER_TLS ? " (SSL)" : "");
|
||||
fd_close(listener->fd);
|
||||
--OpenFiles;
|
||||
}
|
||||
@@ -753,7 +753,7 @@ void close_connection(aClient *cptr)
|
||||
if (cptr->fd >= 0)
|
||||
{
|
||||
send_queued(cptr);
|
||||
if (IsSSL(cptr) && cptr->local->ssl) {
|
||||
if (IsTLS(cptr) && cptr->local->ssl) {
|
||||
SSL_set_shutdown(cptr->local->ssl, SSL_RECEIVED_SHUTDOWN);
|
||||
SSL_smart_shutdown(cptr->local->ssl);
|
||||
SSL_free(cptr->local->ssl);
|
||||
@@ -1042,19 +1042,19 @@ refuse_client:
|
||||
|
||||
list_add(&acptr->lclient_node, &unknown_list);
|
||||
|
||||
if ((listener->options & LISTENER_SSL) && ctx_server)
|
||||
if ((listener->options & LISTENER_TLS) && ctx_server)
|
||||
{
|
||||
SSL_CTX *ctx = listener->ssl_ctx ? listener->ssl_ctx : ctx_server;
|
||||
|
||||
if (ctx)
|
||||
{
|
||||
SetSSLAcceptHandshake(acptr);
|
||||
SetTLSAcceptHandshake(acptr);
|
||||
Debug((DEBUG_DEBUG, "Starting SSL accept handshake for %s", acptr->local->sockhost));
|
||||
if ((acptr->local->ssl = SSL_new(ctx)) == NULL)
|
||||
{
|
||||
goto refuse_client;
|
||||
}
|
||||
acptr->flags |= FLAGS_SSL;
|
||||
acptr->flags |= FLAGS_TLS;
|
||||
SSL_set_fd(acptr->local->ssl, fd);
|
||||
SSL_set_nonblocking(acptr->local->ssl);
|
||||
SSL_set_ex_data(acptr->local->ssl, ssl_client_index, acptr);
|
||||
@@ -1234,7 +1234,7 @@ void read_packet(int fd, int revents, void *data)
|
||||
|
||||
while (1)
|
||||
{
|
||||
if (IsSSL(cptr) && cptr->local->ssl != NULL)
|
||||
if (IsTLS(cptr) && cptr->local->ssl != NULL)
|
||||
{
|
||||
length = SSL_read(cptr->local->ssl, readbuf, sizeof(readbuf));
|
||||
|
||||
@@ -1482,9 +1482,9 @@ int connect_server(ConfigItem_link *aconf, aClient *by, struct hostent *hp)
|
||||
set_sockhost(cptr, aconf->outgoing.hostname);
|
||||
add_client_to_list(cptr);
|
||||
|
||||
if (aconf->outgoing.options & CONNECT_SSL)
|
||||
if (aconf->outgoing.options & CONNECT_TLS)
|
||||
{
|
||||
SetSSLConnectHandshake(cptr);
|
||||
SetTLSConnectHandshake(cptr);
|
||||
fd_setselect(cptr->fd, FD_SELECT_WRITE, ircd_SSL_client_handshake, cptr);
|
||||
}
|
||||
else
|
||||
|
||||
+164
-161
@@ -141,8 +141,9 @@ static NameValue _ListenerFlags[] = {
|
||||
{ LISTENER_CLIENTSONLY, "clientsonly"},
|
||||
{ LISTENER_DEFER_ACCEPT, "defer-accept"},
|
||||
{ LISTENER_SERVERSONLY, "serversonly"},
|
||||
{ LISTENER_SSL, "ssl"},
|
||||
{ LISTENER_TLS, "ssl"},
|
||||
{ LISTENER_NORMAL, "standard"},
|
||||
{ LISTENER_TLS, "tls"},
|
||||
};
|
||||
|
||||
/* This MUST be alphabetized */
|
||||
@@ -150,7 +151,8 @@ static NameValue _LinkFlags[] = {
|
||||
{ CONNECT_AUTO, "autoconnect" },
|
||||
{ CONNECT_INSECURE, "insecure" },
|
||||
{ CONNECT_QUARANTINE, "quarantine"},
|
||||
{ CONNECT_SSL, "ssl" },
|
||||
{ CONNECT_TLS, "ssl" },
|
||||
{ CONNECT_TLS, "tls" },
|
||||
};
|
||||
|
||||
/* This MUST be alphabetized */
|
||||
@@ -179,10 +181,10 @@ static NameValue ExceptTklFlags[] = {
|
||||
};
|
||||
|
||||
/* This MUST be alphabetized */
|
||||
static NameValue _SSLFlags[] = {
|
||||
{ SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
|
||||
{ SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" },
|
||||
{ SSLFLAG_NOSTARTTLS, "no-starttls" },
|
||||
static NameValue _TLSFlags[] = {
|
||||
{ TLSFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
|
||||
{ TLSFLAG_DISABLECLIENTCERT, "no-client-certificate" },
|
||||
{ TLSFLAG_NOSTARTTLS, "no-starttls" },
|
||||
};
|
||||
|
||||
struct {
|
||||
@@ -229,12 +231,12 @@ extern void unload_all_unused_history_backends(void);
|
||||
|
||||
int reloadable_perm_module_unloaded(void);
|
||||
|
||||
int ssl_tests(void);
|
||||
int tls_tests(void);
|
||||
|
||||
/* Conf sub-sub-functions */
|
||||
void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors);
|
||||
void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions);
|
||||
void free_ssl_options(SSLOptions *ssloptions);
|
||||
void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors);
|
||||
void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions);
|
||||
void free_tls_options(TLSOptions *tlsoptions);
|
||||
|
||||
/*
|
||||
* Config parser (IRCd)
|
||||
@@ -289,7 +291,7 @@ int config_verbose = 0;
|
||||
|
||||
MODVAR int need_34_upgrade = 0;
|
||||
int need_operclass_permissions_upgrade = 0;
|
||||
int have_ssl_listeners = 0;
|
||||
int have_tls_listeners = 0;
|
||||
char *port_6667_ip = NULL;
|
||||
|
||||
void add_include(const char *filename, const char *included_from, int included_from_line);
|
||||
@@ -1441,10 +1443,10 @@ void free_iConf(aConfiguration *i)
|
||||
safefree(i->channel_command_prefix);
|
||||
safefree(i->oper_snomask);
|
||||
safefree(i->static_quit);
|
||||
if (i->ssl_options)
|
||||
if (i->tls_options)
|
||||
{
|
||||
free_ssl_options(i->ssl_options);
|
||||
i->ssl_options = NULL;
|
||||
free_tls_options(i->tls_options);
|
||||
i->tls_options = NULL;
|
||||
}
|
||||
safefree(i->restrict_usermodes);
|
||||
safefree(i->restrict_channelmodes);
|
||||
@@ -1524,25 +1526,25 @@ void config_setdefaultsettings(aConfiguration *i)
|
||||
i->broadcast_channel_messages = BROADCAST_CHANNEL_MESSAGES_AUTO;
|
||||
|
||||
/* SSL/TLS options */
|
||||
i->ssl_options = MyMallocEx(sizeof(SSLOptions));
|
||||
snprintf(tmp, sizeof(tmp), "%s/ssl/server.cert.pem", CONFDIR);
|
||||
i->ssl_options->certificate_file = strdup(tmp);
|
||||
snprintf(tmp, sizeof(tmp), "%s/ssl/server.key.pem", CONFDIR);
|
||||
i->ssl_options->key_file = strdup(tmp);
|
||||
snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
|
||||
i->ssl_options->trusted_ca_file = strdup(tmp);
|
||||
i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
|
||||
i->ssl_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
|
||||
i->ssl_options->protocols = SSL_PROTOCOL_ALL;
|
||||
i->tls_options = MyMallocEx(sizeof(TLSOptions));
|
||||
snprintf(tmp, sizeof(tmp), "%s/tls/server.cert.pem", CONFDIR);
|
||||
i->tls_options->certificate_file = strdup(tmp);
|
||||
snprintf(tmp, sizeof(tmp), "%s/tls/server.key.pem", CONFDIR);
|
||||
i->tls_options->key_file = strdup(tmp);
|
||||
snprintf(tmp, sizeof(tmp), "%s/tls/curl-ca-bundle.crt", CONFDIR);
|
||||
i->tls_options->trusted_ca_file = strdup(tmp);
|
||||
i->tls_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
|
||||
i->tls_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
|
||||
i->tls_options->protocols = TLS_PROTOCOL_ALL;
|
||||
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
|
||||
i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
|
||||
i->tls_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
|
||||
#endif
|
||||
i->ssl_options->outdated_protocols = strdup("TLSv1,TLSv1.1");
|
||||
i->tls_options->outdated_protocols = strdup("TLSv1,TLSv1.1");
|
||||
/* the following may look strange but "AES*" matches all
|
||||
* AES ciphersuites that do not have Forward Secrecy.
|
||||
* Any decent client using AES will use ECDHE-xx-AES.
|
||||
*/
|
||||
i->ssl_options->outdated_ciphers = strdup("AES*,RC4*,DES*");
|
||||
i->tls_options->outdated_ciphers = strdup("AES*,RC4*,DES*");
|
||||
|
||||
i->plaintext_policy_user = POLICY_ALLOW;
|
||||
i->plaintext_policy_oper = POLICY_DENY;
|
||||
@@ -1773,7 +1775,7 @@ void config_test_reset(void)
|
||||
int config_test_all(void)
|
||||
{
|
||||
if ((config_test() < 0) || (callbacks_check() < 0) || (efunctions_check() < 0) ||
|
||||
reloadable_perm_module_unloaded() || !ssl_tests())
|
||||
reloadable_perm_module_unloaded() || !tls_tests())
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@@ -2424,12 +2426,12 @@ void config_rehash()
|
||||
}
|
||||
conf_offchans = NULL;
|
||||
|
||||
/* Free sni { } blocks */
|
||||
/* Free sni { } blocks */
|
||||
for (sni = conf_sni; sni; sni = (ConfigItem_sni *)next)
|
||||
{
|
||||
next = (ListStruct *)sni->next;
|
||||
SSL_CTX_free(sni->ssl_ctx);
|
||||
free_ssl_options(sni->ssl_options);
|
||||
free_tls_options(sni->tls_options);
|
||||
safefree(sni->name);
|
||||
MyFree(sni);
|
||||
}
|
||||
@@ -2892,7 +2894,7 @@ ConfigItem_tld *Find_tld(aClient *cptr)
|
||||
{
|
||||
if (match_user(tld->mask, cptr, MATCH_CHECK_REAL))
|
||||
{
|
||||
if ((tld->options & TLD_SSL) && !IsSecureConnect(cptr))
|
||||
if ((tld->options & TLD_TLS) && !IsSecureConnect(cptr))
|
||||
continue;
|
||||
if ((tld->options & TLD_REMOTE) && MyClient(cptr))
|
||||
continue;
|
||||
@@ -4479,8 +4481,8 @@ int _conf_tld(ConfigFile *conf, ConfigEntry *ce)
|
||||
ConfigEntry *cepp;
|
||||
for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next)
|
||||
{
|
||||
if (!strcmp(cepp->ce_varname, "ssl"))
|
||||
ca->options |= TLD_SSL;
|
||||
if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
ca->options |= TLD_TLS;
|
||||
else if (!strcmp(cepp->ce_varname, "remote"))
|
||||
ca->options |= TLD_REMOTE;
|
||||
}
|
||||
@@ -4651,7 +4653,8 @@ int _test_tld(ConfigFile *conf, ConfigEntry *ce)
|
||||
for (cep2 = cep->ce_entries; cep2; cep2 = cep2->ce_next)
|
||||
{
|
||||
if (strcmp(cep2->ce_varname, "ssl") &&
|
||||
strcmp(cep2->ce_varname, "remote"))
|
||||
strcmp(cep2->ce_varname, "tls") &&
|
||||
strcmp(cep2->ce_varname, "remote"))
|
||||
{
|
||||
config_error_unknownopt(cep2->ce_fileptr->cf_filename,
|
||||
cep2->ce_varlinenum, "tld", cep2->ce_varname);
|
||||
@@ -4692,7 +4695,7 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
|
||||
{
|
||||
ConfigEntry *cep;
|
||||
ConfigEntry *cepp;
|
||||
ConfigEntry *sslconfig = NULL;
|
||||
ConfigEntry *tlsconfig = NULL;
|
||||
ConfigItem_listen *listen = NULL;
|
||||
char *ip = NULL;
|
||||
int start=0, end=0, port, isnew;
|
||||
@@ -4720,9 +4723,9 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
|
||||
tmpflags |= ofp->flag;
|
||||
}
|
||||
} else
|
||||
if (!strcmp(cep->ce_varname, "ssl-options"))
|
||||
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
|
||||
{
|
||||
sslconfig = cep;
|
||||
tlsconfig = cep;
|
||||
} else
|
||||
{
|
||||
for (h = Hooks[HOOKTYPE_CONFIGRUN]; h; h = h->next)
|
||||
@@ -4763,17 +4766,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
|
||||
listen->ssl_ctx = NULL;
|
||||
}
|
||||
|
||||
if (listen->ssl_options)
|
||||
if (listen->tls_options)
|
||||
{
|
||||
free_ssl_options(listen->ssl_options);
|
||||
listen->ssl_options = NULL;
|
||||
free_tls_options(listen->tls_options);
|
||||
listen->tls_options = NULL;
|
||||
}
|
||||
|
||||
if (sslconfig)
|
||||
if (tlsconfig)
|
||||
{
|
||||
listen->ssl_options = MyMallocEx(sizeof(SSLOptions));
|
||||
conf_sslblock(conf, sslconfig, listen->ssl_options);
|
||||
listen->ssl_ctx = init_ctx(listen->ssl_options, 1);
|
||||
listen->tls_options = MyMallocEx(sizeof(TLSOptions));
|
||||
conf_tlsblock(conf, tlsconfig, listen->tls_options);
|
||||
listen->ssl_ctx = init_ctx(listen->tls_options, 1);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4807,17 +4810,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
|
||||
listen->ssl_ctx = NULL;
|
||||
}
|
||||
|
||||
if (listen->ssl_options)
|
||||
if (listen->tls_options)
|
||||
{
|
||||
free_ssl_options(listen->ssl_options);
|
||||
listen->ssl_options = NULL;
|
||||
free_tls_options(listen->tls_options);
|
||||
listen->tls_options = NULL;
|
||||
}
|
||||
|
||||
if (sslconfig)
|
||||
if (tlsconfig)
|
||||
{
|
||||
listen->ssl_options = MyMallocEx(sizeof(SSLOptions));
|
||||
conf_sslblock(conf, sslconfig, listen->ssl_options);
|
||||
listen->ssl_ctx = init_ctx(listen->ssl_options, 1);
|
||||
listen->tls_options = MyMallocEx(sizeof(TLSOptions));
|
||||
conf_tlsblock(conf, tlsconfig, listen->tls_options);
|
||||
listen->ssl_ctx = init_ctx(listen->tls_options, 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -4895,14 +4898,14 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce)
|
||||
errors++;
|
||||
continue;
|
||||
}
|
||||
if (!strcmp(cepp->ce_varname, "ssl"))
|
||||
have_ssl_listeners = 1; /* for ssl config test */
|
||||
if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
have_tls_listeners = 1; /* for ssl config test */
|
||||
}
|
||||
}
|
||||
else
|
||||
if (!strcmp(cep->ce_varname, "ssl-options"))
|
||||
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
|
||||
{
|
||||
test_sslblock(conf, cep, &errors);
|
||||
test_tlsblock(conf, cep, &errors);
|
||||
}
|
||||
else
|
||||
if (!cep->ce_vardata)
|
||||
@@ -5080,8 +5083,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
|
||||
allow->flags.noident = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "useip"))
|
||||
allow->flags.useip = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "ssl"))
|
||||
allow->flags.ssl = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
allow->flags.tls = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -5277,7 +5280,7 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "useip"))
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "ssl"))
|
||||
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
|
||||
{}
|
||||
else if (!strcmp(cepp->ce_varname, "sasl"))
|
||||
{
|
||||
@@ -6061,7 +6064,7 @@ int _test_vhost(ConfigFile *conf, ConfigEntry *ce)
|
||||
int _test_sni(ConfigFile *conf, ConfigEntry *ce)
|
||||
{
|
||||
int errors = 0;
|
||||
ConfigEntry *cep, *sslconfig = NULL;
|
||||
ConfigEntry *cep, *tlsconfig = NULL;
|
||||
|
||||
if (!ce->ce_vardata)
|
||||
{
|
||||
@@ -6072,9 +6075,9 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce)
|
||||
|
||||
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
|
||||
{
|
||||
if (!strcmp(cep->ce_varname, "ssl-options"))
|
||||
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
|
||||
{
|
||||
test_sslblock(conf, cep, &errors);
|
||||
test_tlsblock(conf, cep, &errors);
|
||||
} else
|
||||
{
|
||||
config_error_unknown(cep->ce_fileptr->cf_filename, cep->ce_varlinenum,
|
||||
@@ -6090,7 +6093,7 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce)
|
||||
int _conf_sni(ConfigFile *conf, ConfigEntry *ce)
|
||||
{
|
||||
ConfigEntry *cep;
|
||||
ConfigEntry *sslconfig = NULL;
|
||||
ConfigEntry *tlsconfig = NULL;
|
||||
char *name;
|
||||
ConfigItem_sni *sni = NULL;
|
||||
|
||||
@@ -6100,20 +6103,20 @@ int _conf_sni(ConfigFile *conf, ConfigEntry *ce)
|
||||
|
||||
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
|
||||
{
|
||||
if (!strcmp(cep->ce_varname, "ssl-options"))
|
||||
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
|
||||
{
|
||||
sslconfig = cep;
|
||||
tlsconfig = cep;
|
||||
}
|
||||
}
|
||||
|
||||
if (!sslconfig)
|
||||
if (!tlsconfig)
|
||||
return 0;
|
||||
|
||||
sni = MyMallocEx(sizeof(ConfigItem_listen));
|
||||
sni->name = strdup(name);
|
||||
sni->ssl_options = MyMallocEx(sizeof(SSLOptions));
|
||||
conf_sslblock(conf, sslconfig, sni->ssl_options);
|
||||
sni->ssl_ctx = init_ctx(sni->ssl_options, 1);
|
||||
sni->tls_options = MyMallocEx(sizeof(TLSOptions));
|
||||
conf_tlsblock(conf, tlsconfig, sni->tls_options);
|
||||
sni->ssl_ctx = init_ctx(sni->tls_options, 1);
|
||||
AddListItem(sni, conf_sni);
|
||||
|
||||
return 1;
|
||||
@@ -6333,11 +6336,11 @@ int _conf_link(ConfigFile *conf, ConfigEntry *ce)
|
||||
link->outgoing.options |= ofp->flag;
|
||||
}
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "ssl-options"))
|
||||
else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options"))
|
||||
{
|
||||
link->ssl_options = MyMallocEx(sizeof(SSLOptions));
|
||||
conf_sslblock(conf, cepp, link->ssl_options);
|
||||
link->ssl_ctx = init_ctx(link->ssl_options, 0);
|
||||
link->tls_options = MyMallocEx(sizeof(TLSOptions));
|
||||
conf_tlsblock(conf, cepp, link->tls_options);
|
||||
link->ssl_ctx = init_ctx(link->tls_options, 0);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -6495,7 +6498,7 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
|
||||
{
|
||||
if (!strcmp(ceppp->ce_varname, "autoconnect"))
|
||||
;
|
||||
else if (!strcmp(ceppp->ce_varname, "ssl"))
|
||||
else if (!strcmp(ceppp->ce_varname, "ssl") || strcmp(ceppp->ce_varname, "tls"))
|
||||
;
|
||||
else if (!strcmp(ceppp->ce_varname, "insecure"))
|
||||
;
|
||||
@@ -6508,9 +6511,9 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
|
||||
// TODO: validate more options (?) and use list rather than code here...
|
||||
}
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "ssl-options"))
|
||||
else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options"))
|
||||
{
|
||||
test_sslblock(conf, cepp, &errors);
|
||||
test_tlsblock(conf, cepp, &errors);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -6997,7 +7000,7 @@ int _test_require(ConfigFile *conf, ConfigEntry *ce)
|
||||
#define CheckNullAllowEmpty(x) if ((!(x)->ce_vardata)) { config_error("%s:%i: missing parameter", (x)->ce_fileptr->cf_filename, (x)->ce_varlinenum); errors++; continue; }
|
||||
#define CheckDuplicate(cep, name, display) if (settings.has_##name) { config_warn_duplicate((cep)->ce_fileptr->cf_filename, cep->ce_varlinenum, "set::" display); continue; } else settings.has_##name = 1
|
||||
|
||||
void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
|
||||
void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
|
||||
{
|
||||
ConfigEntry *cepp, *ceppp;
|
||||
int errors = 0;
|
||||
@@ -7050,15 +7053,15 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
|
||||
}
|
||||
|
||||
if (!stricmp(name, "All"))
|
||||
option = SSL_PROTOCOL_ALL;
|
||||
option = TLS_PROTOCOL_ALL;
|
||||
else if (!stricmp(name, "TLSv1"))
|
||||
option = SSL_PROTOCOL_TLSV1;
|
||||
option = TLS_PROTOCOL_TLSV1;
|
||||
else if (!stricmp(name, "TLSv1.1"))
|
||||
option = SSL_PROTOCOL_TLSV1_1;
|
||||
option = TLS_PROTOCOL_TLSV1_1;
|
||||
else if (!stricmp(name, "TLSv1.2"))
|
||||
option = SSL_PROTOCOL_TLSV1_2;
|
||||
option = TLS_PROTOCOL_TLSV1_2;
|
||||
else if (!stricmp(name, "TLSv1.3"))
|
||||
option = SSL_PROTOCOL_TLSV1_3;
|
||||
option = TLS_PROTOCOL_TLSV1_3;
|
||||
else
|
||||
{
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
@@ -7108,9 +7111,9 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
|
||||
else if (!strcmp(cepp->ce_varname, "options"))
|
||||
{
|
||||
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
|
||||
if (!config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags)))
|
||||
if (!config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags)))
|
||||
{
|
||||
config_error("%s:%i: unknown SSL flag '%s'",
|
||||
config_error("%s:%i: unknown SSL/TLS option '%s'",
|
||||
ceppp->ce_fileptr->cf_filename,
|
||||
ceppp->ce_varlinenum, ceppp->ce_varname);
|
||||
errors ++;
|
||||
@@ -7178,48 +7181,48 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
|
||||
*totalerrors += errors;
|
||||
}
|
||||
|
||||
void free_ssl_options(SSLOptions *ssloptions)
|
||||
void free_tls_options(TLSOptions *tlsoptions)
|
||||
{
|
||||
if (!ssloptions)
|
||||
if (!tlsoptions)
|
||||
return;
|
||||
|
||||
safefree(ssloptions->certificate_file);
|
||||
safefree(ssloptions->key_file);
|
||||
safefree(ssloptions->dh_file);
|
||||
safefree(ssloptions->trusted_ca_file);
|
||||
safefree(ssloptions->ciphers);
|
||||
safefree(ssloptions->ciphersuites);
|
||||
safefree(ssloptions->ecdh_curves);
|
||||
safefree(ssloptions->outdated_protocols);
|
||||
safefree(ssloptions->outdated_ciphers);
|
||||
memset(ssloptions, 0, sizeof(SSLOptions));
|
||||
MyFree(ssloptions);
|
||||
safefree(tlsoptions->certificate_file);
|
||||
safefree(tlsoptions->key_file);
|
||||
safefree(tlsoptions->dh_file);
|
||||
safefree(tlsoptions->trusted_ca_file);
|
||||
safefree(tlsoptions->ciphers);
|
||||
safefree(tlsoptions->ciphersuites);
|
||||
safefree(tlsoptions->ecdh_curves);
|
||||
safefree(tlsoptions->outdated_protocols);
|
||||
safefree(tlsoptions->outdated_ciphers);
|
||||
memset(tlsoptions, 0, sizeof(TLSOptions));
|
||||
MyFree(tlsoptions);
|
||||
}
|
||||
|
||||
void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions)
|
||||
{
|
||||
ConfigEntry *cepp, *ceppp;
|
||||
NameValue *ofl;
|
||||
|
||||
/* First, inherit settings from set::options::ssl */
|
||||
if (ssloptions != tempiConf.ssl_options)
|
||||
/* First, inherit settings from set::options::tls */
|
||||
if (tlsoptions != tempiConf.tls_options)
|
||||
{
|
||||
safestrdup(ssloptions->certificate_file, tempiConf.ssl_options->certificate_file);
|
||||
safestrdup(ssloptions->key_file, tempiConf.ssl_options->key_file);
|
||||
safestrdup(ssloptions->dh_file, tempiConf.ssl_options->dh_file);
|
||||
safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file);
|
||||
ssloptions->protocols = tempiConf.ssl_options->protocols;
|
||||
safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers);
|
||||
safestrdup(ssloptions->ciphersuites, tempiConf.ssl_options->ciphersuites);
|
||||
safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves);
|
||||
safestrdup(ssloptions->outdated_protocols, tempiConf.ssl_options->outdated_protocols);
|
||||
safestrdup(ssloptions->outdated_ciphers, tempiConf.ssl_options->outdated_ciphers);
|
||||
ssloptions->options = tempiConf.ssl_options->options;
|
||||
ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes;
|
||||
ssloptions->renegotiate_timeout = tempiConf.ssl_options->renegotiate_timeout;
|
||||
ssloptions->sts_port = tempiConf.ssl_options->sts_port;
|
||||
ssloptions->sts_duration = tempiConf.ssl_options->sts_duration;
|
||||
ssloptions->sts_preload = tempiConf.ssl_options->sts_preload;
|
||||
safestrdup(tlsoptions->certificate_file, tempiConf.tls_options->certificate_file);
|
||||
safestrdup(tlsoptions->key_file, tempiConf.tls_options->key_file);
|
||||
safestrdup(tlsoptions->dh_file, tempiConf.tls_options->dh_file);
|
||||
safestrdup(tlsoptions->trusted_ca_file, tempiConf.tls_options->trusted_ca_file);
|
||||
tlsoptions->protocols = tempiConf.tls_options->protocols;
|
||||
safestrdup(tlsoptions->ciphers, tempiConf.tls_options->ciphers);
|
||||
safestrdup(tlsoptions->ciphersuites, tempiConf.tls_options->ciphersuites);
|
||||
safestrdup(tlsoptions->ecdh_curves, tempiConf.tls_options->ecdh_curves);
|
||||
safestrdup(tlsoptions->outdated_protocols, tempiConf.tls_options->outdated_protocols);
|
||||
safestrdup(tlsoptions->outdated_ciphers, tempiConf.tls_options->outdated_ciphers);
|
||||
tlsoptions->options = tempiConf.tls_options->options;
|
||||
tlsoptions->renegotiate_bytes = tempiConf.tls_options->renegotiate_bytes;
|
||||
tlsoptions->renegotiate_timeout = tempiConf.tls_options->renegotiate_timeout;
|
||||
tlsoptions->sts_port = tempiConf.tls_options->sts_port;
|
||||
tlsoptions->sts_duration = tempiConf.tls_options->sts_duration;
|
||||
tlsoptions->sts_preload = tempiConf.tls_options->sts_preload;
|
||||
}
|
||||
|
||||
/* Now process the options */
|
||||
@@ -7227,15 +7230,15 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
{
|
||||
if (!strcmp(cepp->ce_varname, "ciphers") || !strcmp(cepp->ce_varname, "server-cipher-list"))
|
||||
{
|
||||
safestrdup(ssloptions->ciphers, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->ciphers, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "ciphersuites"))
|
||||
{
|
||||
safestrdup(ssloptions->ciphersuites, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->ciphersuites, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
|
||||
{
|
||||
safestrdup(ssloptions->ecdh_curves, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->ecdh_curves, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "protocols"))
|
||||
{
|
||||
@@ -7244,7 +7247,7 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
char modifier;
|
||||
|
||||
strlcpy(copy, cepp->ce_vardata, sizeof(copy));
|
||||
ssloptions->protocols = 0;
|
||||
tlsoptions->protocols = 0;
|
||||
for (name = strtoken(&p, copy, ","); name; name = strtoken(&p, NULL, ","))
|
||||
{
|
||||
modifier = '\0';
|
||||
@@ -7257,24 +7260,24 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
}
|
||||
|
||||
if (!stricmp(name, "All"))
|
||||
option = SSL_PROTOCOL_ALL;
|
||||
option = TLS_PROTOCOL_ALL;
|
||||
else if (!stricmp(name, "TLSv1"))
|
||||
option = SSL_PROTOCOL_TLSV1;
|
||||
option = TLS_PROTOCOL_TLSV1;
|
||||
else if (!stricmp(name, "TLSv1.1"))
|
||||
option = SSL_PROTOCOL_TLSV1_1;
|
||||
option = TLS_PROTOCOL_TLSV1_1;
|
||||
else if (!stricmp(name, "TLSv1.2"))
|
||||
option = SSL_PROTOCOL_TLSV1_2;
|
||||
option = TLS_PROTOCOL_TLSV1_2;
|
||||
else if (!stricmp(name, "TLSv1.3"))
|
||||
option = SSL_PROTOCOL_TLSV1_3;
|
||||
option = TLS_PROTOCOL_TLSV1_3;
|
||||
|
||||
if (option)
|
||||
{
|
||||
if (modifier == '\0')
|
||||
ssloptions->protocols = option;
|
||||
tlsoptions->protocols = option;
|
||||
else if (modifier == '+')
|
||||
ssloptions->protocols |= option;
|
||||
tlsoptions->protocols |= option;
|
||||
else if (modifier == '-')
|
||||
ssloptions->protocols &= ~option;
|
||||
tlsoptions->protocols &= ~option;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -7285,50 +7288,50 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
|
||||
else if (!strcmp(cepp->ce_varname, "certificate"))
|
||||
{
|
||||
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
|
||||
safestrdup(ssloptions->certificate_file, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->certificate_file, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "key"))
|
||||
{
|
||||
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
|
||||
safestrdup(ssloptions->key_file, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->key_file, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "trusted-ca-file"))
|
||||
{
|
||||
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
|
||||
safestrdup(ssloptions->trusted_ca_file, cepp->ce_vardata);
|
||||
safestrdup(tlsoptions->trusted_ca_file, cepp->ce_vardata);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "renegotiate-bytes"))
|
||||
{
|
||||
ssloptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE);
|
||||
tlsoptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "renegotiate-timeout"))
|
||||
{
|
||||
ssloptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME);
|
||||
tlsoptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME);
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "options"))
|
||||
{
|
||||
ssloptions->options = 0;
|
||||
tlsoptions->options = 0;
|
||||
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
|
||||
{
|
||||
ofl = config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags));
|
||||
ofl = config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags));
|
||||
if (ofl) /* this should always be true */
|
||||
ssloptions->options |= ofl->flag;
|
||||
tlsoptions->options |= ofl->flag;
|
||||
}
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "sts-policy"))
|
||||
{
|
||||
/* We do not inherit ::sts-policy if there is a specific block for this one... */
|
||||
ssloptions->sts_port = 0;
|
||||
ssloptions->sts_duration = 0;
|
||||
ssloptions->sts_preload = 0;
|
||||
tlsoptions->sts_port = 0;
|
||||
tlsoptions->sts_duration = 0;
|
||||
tlsoptions->sts_preload = 0;
|
||||
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
|
||||
{
|
||||
if (!strcmp(ceppp->ce_varname, "port"))
|
||||
ssloptions->sts_port = atoi(ceppp->ce_vardata);
|
||||
tlsoptions->sts_port = atoi(ceppp->ce_vardata);
|
||||
else if (!strcmp(ceppp->ce_varname, "duration"))
|
||||
ssloptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME);
|
||||
tlsoptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME);
|
||||
else if (!strcmp(ceppp->ce_varname, "preload"))
|
||||
ssloptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO);
|
||||
tlsoptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -7628,8 +7631,8 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
|
||||
else if (!strcmp(cepp->ce_varname, "show-connect-info")) {
|
||||
tempiConf.show_connect_info = 1;
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) {
|
||||
tempiConf.no_connect_ssl_info = 1;
|
||||
else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) {
|
||||
tempiConf.no_connect_tls_info = 1;
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "dont-resolve")) {
|
||||
tempiConf.dont_resolve = 1;
|
||||
@@ -7742,9 +7745,9 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
|
||||
int v = atoi(cep->ce_vardata);
|
||||
tempiConf.quit_length = v;
|
||||
}
|
||||
else if (!strcmp(cep->ce_varname, "ssl")) {
|
||||
/* no need to alloc tempiConf.ssl_options since config_defaults() already ensures it exists */
|
||||
conf_sslblock(conf, cep, tempiConf.ssl_options);
|
||||
else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) {
|
||||
/* no need to alloc tempiConf.tls_options since config_defaults() already ensures it exists */
|
||||
conf_tlsblock(conf, cep, tempiConf.tls_options);
|
||||
}
|
||||
else if (!strcmp(cep->ce_varname, "plaintext-policy"))
|
||||
{
|
||||
@@ -8529,8 +8532,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
|
||||
else if (!strcmp(cepp->ce_varname, "show-connect-info")) {
|
||||
CheckDuplicate(cepp, options_show_connect_info, "options::show-connect-info");
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) {
|
||||
CheckDuplicate(cepp, options_no_connect_ssl_info, "options::no-connect-ssl-info");
|
||||
else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) {
|
||||
CheckDuplicate(cepp, options_no_connect_tls_info, "options::no-connect-tls-info");
|
||||
}
|
||||
else if (!strcmp(cepp->ce_varname, "dont-resolve")) {
|
||||
CheckDuplicate(cepp, options_dont_resolve, "options::dont-resolve");
|
||||
@@ -8780,8 +8783,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
|
||||
errors++;
|
||||
}
|
||||
}
|
||||
else if (!strcmp(cep->ce_varname, "ssl")) {
|
||||
test_sslblock(conf, cep, &errors);
|
||||
else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) {
|
||||
test_tlsblock(conf, cep, &errors);
|
||||
}
|
||||
else if (!strcmp(cep->ce_varname, "plaintext-policy"))
|
||||
{
|
||||
@@ -9147,16 +9150,16 @@ void start_listeners(void)
|
||||
ircd_log(LOG_ERROR, "UnrealIRCd is now also listening on %s:%d (%s)%s",
|
||||
listenptr->ip, listenptr->port,
|
||||
listenptr->ipv6 ? "IPv6" : "IPv4",
|
||||
listenptr->options & LISTENER_SSL ? " (SSL)" : "");
|
||||
listenptr->options & LISTENER_TLS ? " (SSL/TLS)" : "");
|
||||
} else {
|
||||
if (listenptr->ipv6)
|
||||
snprintf(boundmsg_ipv6+strlen(boundmsg_ipv6), sizeof(boundmsg_ipv6)-strlen(boundmsg_ipv6),
|
||||
"%s:%d%s, ", listenptr->ip, listenptr->port,
|
||||
listenptr->options & LISTENER_SSL ? "(SSL)" : "");
|
||||
listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : "");
|
||||
else
|
||||
snprintf(boundmsg_ipv4+strlen(boundmsg_ipv4), sizeof(boundmsg_ipv4)-strlen(boundmsg_ipv4),
|
||||
"%s:%d%s, ", listenptr->ip, listenptr->port,
|
||||
listenptr->options & LISTENER_SSL ? "(SSL)" : "");
|
||||
listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : "");
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -10212,10 +10215,10 @@ void link_cleanup(ConfigItem_link *link_ptr)
|
||||
SSL_CTX_free(link_ptr->ssl_ctx);
|
||||
link_ptr->ssl_ctx = NULL;
|
||||
}
|
||||
if (link_ptr->ssl_options)
|
||||
if (link_ptr->tls_options)
|
||||
{
|
||||
free_ssl_options(link_ptr->ssl_options);
|
||||
link_ptr->ssl_options = NULL;
|
||||
free_tls_options(link_ptr->tls_options);
|
||||
link_ptr->tls_options = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10259,7 +10262,7 @@ void listen_cleanup()
|
||||
if (listen_ptr->flag.temporary && !listen_ptr->clients)
|
||||
{
|
||||
safefree(listen_ptr->ip);
|
||||
free_ssl_options(listen_ptr->ssl_options);
|
||||
free_tls_options(listen_ptr->tls_options);
|
||||
DelListItem(listen_ptr, conf_listen);
|
||||
MyFree(listen_ptr);
|
||||
i++;
|
||||
@@ -10547,12 +10550,12 @@ void load_includes(void)
|
||||
inc->flag.type &= ~INCLUDE_NOTLOADED;
|
||||
}
|
||||
|
||||
int ssl_tests(void)
|
||||
int tls_tests(void)
|
||||
{
|
||||
if (have_ssl_listeners == 0)
|
||||
if (have_tls_listeners == 0)
|
||||
{
|
||||
config_error("Your server is not listening on any SSL ports.");
|
||||
config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { ssl; }; };",
|
||||
config_error("Your server is not listening on any SSL/TLS ports.");
|
||||
config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { tls; }; };",
|
||||
port_6667_ip ? port_6667_ip : "*");
|
||||
config_status("See https://www.unrealircd.org/docs/FAQ#Your_server_is_not_listening_on_any_SSL_ports");
|
||||
return 0;
|
||||
|
||||
+1
-1
@@ -458,7 +458,7 @@ SSL_CTX *crashreport_init_ssl(void)
|
||||
SSL_CTX_set_options(ctx_client, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
|
||||
|
||||
/* Verify peer certificate */
|
||||
snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
|
||||
snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR);
|
||||
SSL_CTX_load_verify_locations(ctx_client, buf, NULL);
|
||||
SSL_CTX_set_verify(ctx_client, SSL_VERIFY_PEER, NULL);
|
||||
|
||||
|
||||
+3
-3
@@ -510,7 +510,7 @@ int check_ping(aClient *cptr)
|
||||
)
|
||||
{
|
||||
if (IsServer(cptr) || IsConnecting(cptr) ||
|
||||
IsHandshake(cptr) || IsSSLConnectHandshake(cptr))
|
||||
IsHandshake(cptr) || IsTLSConnectHandshake(cptr))
|
||||
{
|
||||
sendto_ops_and_log
|
||||
("No response from %s, closing link",
|
||||
@@ -520,7 +520,7 @@ int check_ping(aClient *cptr)
|
||||
me.name, get_client_name(cptr,
|
||||
FALSE));
|
||||
}
|
||||
if (IsSSLAcceptHandshake(cptr))
|
||||
if (IsTLSAcceptHandshake(cptr))
|
||||
Debug((DEBUG_DEBUG, "ssl accept handshake timeout: %s (%li-%li > %li)", cptr->local->sockhost,
|
||||
TStime(), cptr->local->since, ping));
|
||||
(void)ircsnprintf(scratch, sizeof(scratch), "Ping timeout: %ld seconds",
|
||||
@@ -545,7 +545,7 @@ int check_ping(aClient *cptr)
|
||||
}
|
||||
else if (!IsPingWarning(cptr) && PINGWARNING > 0 &&
|
||||
(IsServer(cptr) || IsHandshake(cptr) || IsConnecting(cptr) ||
|
||||
IsSSLConnectHandshake(cptr)) &&
|
||||
IsTLSConnectHandshake(cptr)) &&
|
||||
(TStime() - cptr->local->lasttime) >= (ping + PINGWARNING))
|
||||
{
|
||||
SetPingWarning(cptr);
|
||||
|
||||
+1
-1
@@ -319,7 +319,7 @@ void remove_client_from_list(aClient *cptr)
|
||||
cptr->srvptr->serv->users--;
|
||||
}
|
||||
if (IsUnknown(cptr) || IsConnecting(cptr) || IsHandshake(cptr)
|
||||
|| IsSSLHandshake(cptr)
|
||||
|| IsTLSHandshake(cptr)
|
||||
)
|
||||
IRCstats.unknown--;
|
||||
|
||||
|
||||
@@ -123,7 +123,7 @@ int certfp_connect(aClient *acptr)
|
||||
{
|
||||
char *fp = moddata_client_get(acptr, "certfp");
|
||||
|
||||
if (fp && !iConf.no_connect_ssl_info)
|
||||
if (fp && !iConf.no_connect_tls_info)
|
||||
sendnotice(acptr, "*** Your SSL fingerprint is %s", fp);
|
||||
}
|
||||
|
||||
|
||||
+2
-2
@@ -1426,7 +1426,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha
|
||||
|
||||
if (IsSecureConnect(sptr))
|
||||
{
|
||||
if (sptr->local->ssl && !iConf.no_connect_ssl_info)
|
||||
if (sptr->local->ssl && !iConf.no_connect_tls_info)
|
||||
{
|
||||
sendnotice(sptr, "*** You are connected to %s with %s",
|
||||
me.name, ssl_get_cipher(sptr->local->ssl));
|
||||
@@ -1713,7 +1713,7 @@ int AllowClient(aClient *cptr, struct hostent *hp, char *sockhost, char *usernam
|
||||
goto attach;
|
||||
if (aconf->auth && !cptr->local->passwd)
|
||||
continue;
|
||||
if (aconf->flags.ssl && !IsSecure(cptr))
|
||||
if (aconf->flags.tls && !IsSecure(cptr))
|
||||
continue;
|
||||
if (hp && hp->h_name)
|
||||
{
|
||||
|
||||
@@ -365,7 +365,7 @@ skip_host_check:
|
||||
{
|
||||
char *errstr = NULL;
|
||||
|
||||
if (!IsSSL(cptr))
|
||||
if (!IsTLS(cptr))
|
||||
{
|
||||
sendto_one(cptr, NULL,
|
||||
"ERROR :Link '%s' denied (Not using SSL/TLS) %s",
|
||||
|
||||
@@ -63,13 +63,13 @@ MOD_UNLOAD(starttls)
|
||||
CMD_FUNC(m_starttls)
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
int ssl_options;
|
||||
int tls_options;
|
||||
|
||||
if (!MyConnect(sptr) || !IsUnknown(sptr))
|
||||
return 0;
|
||||
|
||||
ctx = sptr->local->listener->ssl_ctx ? sptr->local->listener->ssl_ctx : ctx_server;
|
||||
ssl_options = sptr->local->listener->ssl_options ? sptr->local->listener->ssl_options->options : iConf.ssl_options->options;
|
||||
tls_options = sptr->local->listener->tls_options ? sptr->local->listener->tls_options->options : iConf.tls_options->options;
|
||||
|
||||
/* Is SSL support enabled? (may not, if failed to load cert/keys/..) */
|
||||
if (!ctx)
|
||||
@@ -80,7 +80,7 @@ CMD_FUNC(m_starttls)
|
||||
}
|
||||
|
||||
/* Is STARTTLS disabled? (same response as above) */
|
||||
if (ssl_options & SSLFLAG_NOSTARTTLS)
|
||||
if (tls_options & TLSFLAG_NOSTARTTLS)
|
||||
{
|
||||
sendnumeric(sptr, ERR_NOTREGISTERED);
|
||||
return 0;
|
||||
@@ -96,11 +96,11 @@ CMD_FUNC(m_starttls)
|
||||
sendnumeric(sptr, RPL_STARTTLS);
|
||||
send_queued(sptr);
|
||||
|
||||
SetSSLStartTLSHandshake(sptr);
|
||||
SetStartTLSHandshake(sptr);
|
||||
Debug((DEBUG_DEBUG, "Starting SSL handshake (due to STARTTLS) for %s", sptr->local->sockhost));
|
||||
if ((sptr->local->ssl = SSL_new(ctx)) == NULL)
|
||||
goto fail;
|
||||
sptr->flags |= FLAGS_SSL;
|
||||
sptr->flags |= FLAGS_TLS;
|
||||
SSL_set_fd(sptr->local->ssl, sptr->fd);
|
||||
SSL_set_nonblocking(sptr->local->ssl);
|
||||
if (!ircd_SSL_accept(sptr, sptr->fd)) {
|
||||
@@ -117,7 +117,7 @@ fail:
|
||||
/* Failure */
|
||||
sendnumeric(sptr, ERR_STARTTLS, "STARTTLS failed");
|
||||
sptr->local->ssl = NULL;
|
||||
sptr->flags &= ~FLAGS_SSL;
|
||||
sptr->flags &= ~FLAGS_TLS;
|
||||
SetUnknown(sptr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
+8
-8
@@ -431,7 +431,7 @@ int stats_links(aClient *sptr, char *para)
|
||||
link_p->outgoing.port,
|
||||
link_p->class->name,
|
||||
(link_p->outgoing.options & CONNECT_AUTO) ? "a" : "",
|
||||
(link_p->outgoing.options & CONNECT_SSL) ? "S" : "",
|
||||
(link_p->outgoing.options & CONNECT_TLS) ? "S" : "",
|
||||
(link_p->flag.temporary == 1) ? "T" : "");
|
||||
#ifdef DEBUGMODE
|
||||
sendnotice(sptr, "%s (%p) has refcount %d",
|
||||
@@ -558,8 +558,8 @@ static char *stats_port_helper(ConfigItem_listen *listener)
|
||||
ircsnprintf(buf, sizeof(buf), "%s%s%s%s",
|
||||
(listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "",
|
||||
(listener->options & LISTENER_SERVERSONLY)? "serversonly ": "",
|
||||
(listener->options & LISTENER_SSL)? "ssl ": "",
|
||||
!(listener->options & LISTENER_SSL)? "plaintext ": "");
|
||||
(listener->options & LISTENER_TLS)? "ssl ": "",
|
||||
!(listener->options & LISTENER_TLS)? "plaintext ": "");
|
||||
return buf;
|
||||
}
|
||||
|
||||
@@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para)
|
||||
sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON);
|
||||
sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME));
|
||||
sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`");
|
||||
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.ssl_options->certificate_file));
|
||||
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.ssl_options->key_file));
|
||||
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.ssl_options->trusted_ca_file));
|
||||
sendtxtnumeric(sptr, "ssl::options: %s", iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
|
||||
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
|
||||
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file));
|
||||
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
|
||||
sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
|
||||
sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD);
|
||||
sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES);
|
||||
sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK);
|
||||
sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN);
|
||||
sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO);
|
||||
sendtxtnumeric(sptr, "options::no-connect-ssl-info: %d", NOCONNECTSSLINFO);
|
||||
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO);
|
||||
sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE);
|
||||
sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE);
|
||||
sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS);
|
||||
|
||||
+7
-7
@@ -57,20 +57,20 @@ MOD_UNLOAD(sts)
|
||||
*/
|
||||
int sts_capability_visible(aClient *acptr)
|
||||
{
|
||||
SSLOptions *ssl;
|
||||
TLSOptions *ssl;
|
||||
|
||||
/* This is possible if queried from the CAP NEW/DEL code */
|
||||
if (acptr == NULL)
|
||||
return (iConf.ssl_options && iConf.ssl_options->sts_port) ? 1 : 0;
|
||||
return (iConf.tls_options && iConf.tls_options->sts_port) ? 1 : 0;
|
||||
|
||||
if (!IsSecure(acptr))
|
||||
{
|
||||
if (iConf.ssl_options && iConf.ssl_options->sts_port)
|
||||
if (iConf.tls_options && iConf.tls_options->sts_port)
|
||||
return 1; /* YES, non-SSL user and set::ssl::sts-policy configured */
|
||||
return 0; /* NO, there is no sts-policy */
|
||||
}
|
||||
|
||||
ssl = FindSSLOptionsForUser(acptr);
|
||||
ssl = FindTLSOptionsForUser(acptr);
|
||||
|
||||
if (ssl && ssl->sts_port)
|
||||
return 1;
|
||||
@@ -80,13 +80,13 @@ int sts_capability_visible(aClient *acptr)
|
||||
|
||||
char *sts_capability_parameter(aClient *acptr)
|
||||
{
|
||||
SSLOptions *ssl;
|
||||
TLSOptions *ssl;
|
||||
static char buf[256];
|
||||
|
||||
if (IsSecure(acptr))
|
||||
ssl = FindSSLOptionsForUser(acptr);
|
||||
ssl = FindTLSOptionsForUser(acptr);
|
||||
else
|
||||
ssl = iConf.ssl_options;
|
||||
ssl = iConf.tls_options;
|
||||
|
||||
if (!ssl)
|
||||
return ""; /* This would be odd. */
|
||||
|
||||
+2
-2
@@ -210,11 +210,11 @@ CMD_FUNC(m_trace)
|
||||
cnt++;
|
||||
break;
|
||||
#ifdef USE_SSL
|
||||
case STAT_SSL_CONNECT_HANDSHAKE:
|
||||
case STAT_TLS_CONNECT_HANDSHAKE:
|
||||
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name);
|
||||
cnt++;
|
||||
break;
|
||||
case STAT_SSL_ACCEPT_HANDSHAKE:
|
||||
case STAT_TLS_ACCEPT_HANDSHAKE:
|
||||
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name);
|
||||
cnt++;
|
||||
break;
|
||||
|
||||
+2
-2
@@ -397,12 +397,12 @@ char *get_cptr_status(aClient *acptr)
|
||||
*p++ = 'S';
|
||||
if (acptr->umodes & LISTENER_CLIENTSONLY)
|
||||
*p++ = 'C';
|
||||
if (acptr->umodes & LISTENER_SSL)
|
||||
if (acptr->umodes & LISTENER_TLS)
|
||||
*p++ = 's';
|
||||
}
|
||||
else
|
||||
{
|
||||
if (acptr->flags & FLAGS_SSL)
|
||||
if (acptr->flags & FLAGS_TLS)
|
||||
*p++ = 's';
|
||||
}
|
||||
*p++ = ']';
|
||||
|
||||
+2
-2
@@ -48,7 +48,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read)
|
||||
|
||||
if (IsDead(cptr) || (!IsServer(cptr) && !IsPerson(cptr)
|
||||
&& !IsHandshake(cptr)
|
||||
&& !IsSSLHandshake(cptr)
|
||||
&& !IsTLSHandshake(cptr)
|
||||
|
||||
&& !IsUnknown(cptr)))
|
||||
{
|
||||
@@ -59,7 +59,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (IsSSL(cptr) && cptr->local->ssl != NULL)
|
||||
if (IsTLS(cptr) && cptr->local->ssl != NULL)
|
||||
{
|
||||
retval = SSL_write(cptr->local->ssl, str, len);
|
||||
|
||||
|
||||
@@ -227,7 +227,7 @@ static int setup_dh_params(SSL_CTX *ctx)
|
||||
{
|
||||
DH *dh;
|
||||
BIO *bio;
|
||||
char *dh_file = iConf.ssl_options ? iConf.ssl_options->dh_file : tempiConf.ssl_options->dh_file;
|
||||
char *dh_file = iConf.tls_options ? iConf.tls_options->dh_file : tempiConf.tls_options->dh_file;
|
||||
/* ^^ because we can be called both before config file initalization or after */
|
||||
|
||||
if (dh_file == NULL)
|
||||
@@ -256,7 +256,7 @@ static int setup_dh_params(SSL_CTX *ctx)
|
||||
}
|
||||
|
||||
/** Disable SSL/TLS protocols as set by config */
|
||||
void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
|
||||
void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
|
||||
{
|
||||
/* OpenSSL has two mechanisms for protocol version control:
|
||||
*
|
||||
@@ -275,12 +275,12 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
|
||||
* minimum protocol version to begin with.
|
||||
*/
|
||||
#ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1) &&
|
||||
!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1) &&
|
||||
!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
|
||||
{
|
||||
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
|
||||
} else
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1))
|
||||
{
|
||||
SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
|
||||
} else
|
||||
@@ -292,27 +292,27 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
|
||||
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1))
|
||||
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1_1
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
|
||||
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_2))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_2))
|
||||
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
|
||||
#endif
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_3))
|
||||
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_3))
|
||||
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
|
||||
#endif
|
||||
}
|
||||
|
||||
SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
char *errstr = NULL;
|
||||
@@ -328,10 +328,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
config_report_ssl_error();
|
||||
return NULL;
|
||||
}
|
||||
disable_ssl_protocols(ctx, ssloptions);
|
||||
disable_ssl_protocols(ctx, tlsoptions);
|
||||
SSL_CTX_set_default_passwd_cb(ctx, ssl_pem_passwd_cb);
|
||||
|
||||
if (server && !(ssloptions->options & SSLFLAG_DISABLECLIENTCERT))
|
||||
if (server && !(tlsoptions->options & TLSFLAG_DISABLECLIENTCERT))
|
||||
{
|
||||
/* We tell OpenSSL/LibreSSL to verify the certificate and set our callback.
|
||||
* Our callback will always accept the certificate since actual checking
|
||||
@@ -340,7 +340,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
* _verify_link() will take care of it only after we learned what server
|
||||
* we are dealing with (and if we should verify certificates for that server).
|
||||
*/
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (ssloptions->options & SSLFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback);
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (tlsoptions->options & TLSFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback);
|
||||
}
|
||||
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
||||
#ifndef SSL_OP_NO_TICKET
|
||||
@@ -351,30 +351,30 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
if (!setup_dh_params(ctx))
|
||||
goto fail;
|
||||
|
||||
if (!ssloptions->certificate_file)
|
||||
if (!tlsoptions->certificate_file)
|
||||
{
|
||||
config_error("No SSL certificate configured (set::options::ssl::certificate or in a listen block)");
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (SSL_CTX_use_certificate_chain_file(ctx, ssloptions->certificate_file) <= 0)
|
||||
if (SSL_CTX_use_certificate_chain_file(ctx, tlsoptions->certificate_file) <= 0)
|
||||
{
|
||||
config_error("Failed to load SSL certificate %s", ssloptions->certificate_file);
|
||||
config_error("Failed to load SSL certificate %s", tlsoptions->certificate_file);
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!ssloptions->key_file)
|
||||
if (!tlsoptions->key_file)
|
||||
{
|
||||
config_error("No SSL key configured (set::options::ssl::key or in a listen block)");
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (SSL_CTX_use_PrivateKey_file(ctx, ssloptions->key_file, SSL_FILETYPE_PEM) <= 0)
|
||||
if (SSL_CTX_use_PrivateKey_file(ctx, tlsoptions->key_file, SSL_FILETYPE_PEM) <= 0)
|
||||
{
|
||||
config_error("Failed to load SSL private key %s", ssloptions->key_file);
|
||||
config_error("Failed to load SSL private key %s", tlsoptions->key_file);
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
@@ -386,7 +386,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (SSL_CTX_set_cipher_list(ctx, ssloptions->ciphers) == 0)
|
||||
if (SSL_CTX_set_cipher_list(ctx, tlsoptions->ciphers) == 0)
|
||||
{
|
||||
config_error("Failed to set SSL cipher list");
|
||||
config_report_ssl_error();
|
||||
@@ -394,7 +394,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
}
|
||||
|
||||
#ifdef SSL_OP_NO_TLSv1_3
|
||||
if (SSL_CTX_set_ciphersuites(ctx, ssloptions->ciphersuites) == 0)
|
||||
if (SSL_CTX_set_ciphersuites(ctx, tlsoptions->ciphersuites) == 0)
|
||||
{
|
||||
config_error("Failed to set SSL ciphersuites list");
|
||||
config_report_ssl_error();
|
||||
@@ -413,11 +413,11 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
if (server)
|
||||
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
|
||||
if (ssloptions->trusted_ca_file)
|
||||
if (tlsoptions->trusted_ca_file)
|
||||
{
|
||||
if (!SSL_CTX_load_verify_locations(ctx, ssloptions->trusted_ca_file, NULL))
|
||||
if (!SSL_CTX_load_verify_locations(ctx, tlsoptions->trusted_ca_file, NULL))
|
||||
{
|
||||
config_error("Failed to load Trusted CA's from %s", ssloptions->trusted_ca_file);
|
||||
config_error("Failed to load Trusted CA's from %s", tlsoptions->trusted_ca_file);
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
@@ -441,10 +441,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
*/
|
||||
#endif
|
||||
/* Let's see if we need to (and can) set specific curves */
|
||||
if (ssloptions->ecdh_curves)
|
||||
if (tlsoptions->ecdh_curves)
|
||||
{
|
||||
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
|
||||
if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves))
|
||||
if (!SSL_CTX_set1_curves_list(ctx, tlsoptions->ecdh_curves))
|
||||
{
|
||||
config_error("Failed to apply ecdh-curves '%s'. "
|
||||
"To get a list of supported curves with the "
|
||||
@@ -452,7 +452,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
|
||||
"'openssl ecparam -list_curves' on the server. "
|
||||
"Separate multiple curves by colon, "
|
||||
"for example: ecdh-curves \"secp521r1:secp384r1\".",
|
||||
ssloptions->ecdh_curves);
|
||||
tlsoptions->ecdh_curves);
|
||||
config_report_ssl_error();
|
||||
goto fail;
|
||||
}
|
||||
@@ -496,10 +496,10 @@ int early_init_ssl(void)
|
||||
int init_ssl(void)
|
||||
{
|
||||
/* SSL preliminaries. We keep the certificate and key with the context. */
|
||||
ctx_server = init_ctx(iConf.ssl_options, 1);
|
||||
ctx_server = init_ctx(iConf.tls_options, 1);
|
||||
if (!ctx_server)
|
||||
return 0;
|
||||
ctx_client = init_ctx(iConf.ssl_options, 0);
|
||||
ctx_client = init_ctx(iConf.tls_options, 0);
|
||||
if (!ctx_client)
|
||||
return 0;
|
||||
return 1;
|
||||
@@ -521,7 +521,7 @@ void reinit_ssl(aClient *acptr)
|
||||
mylog("%s requested a reload of all SSL related data (/rehash -ssl)",
|
||||
acptr->name);
|
||||
|
||||
tmp = init_ctx(iConf.ssl_options, 1);
|
||||
tmp = init_ctx(iConf.tls_options, 1);
|
||||
if (!tmp)
|
||||
{
|
||||
config_error("SSL Reload failed.");
|
||||
@@ -530,7 +530,7 @@ void reinit_ssl(aClient *acptr)
|
||||
}
|
||||
ctx_server = tmp; /* activate */
|
||||
|
||||
tmp = init_ctx(iConf.ssl_options, 0);
|
||||
tmp = init_ctx(iConf.tls_options, 0);
|
||||
if (!tmp)
|
||||
{
|
||||
config_error("SSL Reload partially failed. Server context is reloaded, client context failed");
|
||||
@@ -542,9 +542,9 @@ void reinit_ssl(aClient *acptr)
|
||||
/* listen::ssl-options.... */
|
||||
for (listen = conf_listen; listen; listen = listen->next)
|
||||
{
|
||||
if (listen->ssl_options)
|
||||
if (listen->tls_options)
|
||||
{
|
||||
tmp = init_ctx(listen->ssl_options, 1);
|
||||
tmp = init_ctx(listen->tls_options, 1);
|
||||
if (!tmp)
|
||||
{
|
||||
config_error("SSL Reload partially failed. listen::ssl-options error, see above");
|
||||
@@ -558,9 +558,9 @@ void reinit_ssl(aClient *acptr)
|
||||
/* sni::ssl-options.... */
|
||||
for (sni = conf_sni; sni; sni = sni->next)
|
||||
{
|
||||
if (sni->ssl_options)
|
||||
if (sni->tls_options)
|
||||
{
|
||||
tmp = init_ctx(sni->ssl_options, 1);
|
||||
tmp = init_ctx(sni->tls_options, 1);
|
||||
if (!tmp)
|
||||
{
|
||||
config_error("SSL Reload partially failed. sni::ssl-options error, see above");
|
||||
@@ -574,9 +574,9 @@ void reinit_ssl(aClient *acptr)
|
||||
/* link::outgoing::ssl-options.... */
|
||||
for (link = conf_link; link; link = link->next)
|
||||
{
|
||||
if (link->ssl_options)
|
||||
if (link->tls_options)
|
||||
{
|
||||
tmp = init_ctx(link->ssl_options, 1);
|
||||
tmp = init_ctx(link->tls_options, 1);
|
||||
if (!tmp)
|
||||
{
|
||||
config_error("SSL Reload partially failed. link::outgoing::ssl-options error in link %s { }, see above",
|
||||
@@ -612,15 +612,15 @@ char *ssl_get_cipher(SSL *ssl)
|
||||
/** Get the applicable ::ssl-options block for this local client,
|
||||
* which may be defined in the link block, listen block, or set block.
|
||||
*/
|
||||
SSLOptions *get_ssl_options_for_client(aClient *acptr)
|
||||
TLSOptions *get_tls_options_for_client(aClient *acptr)
|
||||
{
|
||||
if (!acptr->local)
|
||||
return NULL;
|
||||
if (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_options)
|
||||
return acptr->serv->conf->ssl_options;
|
||||
if (acptr->local && acptr->local->listener && acptr->local->listener->ssl_options)
|
||||
return acptr->local->listener->ssl_options;
|
||||
return iConf.ssl_options;
|
||||
if (acptr->serv && acptr->serv->conf && acptr->serv->conf->tls_options)
|
||||
return acptr->serv->conf->tls_options;
|
||||
if (acptr->local && acptr->local->listener && acptr->local->listener->tls_options)
|
||||
return acptr->local->listener->tls_options;
|
||||
return iConf.tls_options;
|
||||
}
|
||||
|
||||
/** Outgoing SSL connect (read: handshake) to another server. */
|
||||
@@ -628,7 +628,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
|
||||
{
|
||||
aClient *acptr = data;
|
||||
SSL_CTX *ctx = (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_ctx) ? acptr->serv->conf->ssl_ctx : ctx_client;
|
||||
SSLOptions *ssloptions = get_ssl_options_for_client(acptr);
|
||||
TLSOptions *tlsoptions = get_tls_options_for_client(acptr);
|
||||
|
||||
if (!ctx)
|
||||
{
|
||||
@@ -647,16 +647,16 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
|
||||
SSL_set_connect_state(acptr->local->ssl);
|
||||
SSL_set_nonblocking(acptr->local->ssl);
|
||||
|
||||
if (ssloptions->renegotiate_bytes > 0)
|
||||
if (tlsoptions->renegotiate_bytes > 0)
|
||||
{
|
||||
BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_bytes);
|
||||
BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_bytes);
|
||||
BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_bytes);
|
||||
BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_bytes);
|
||||
}
|
||||
|
||||
if (ssloptions->renegotiate_timeout > 0)
|
||||
if (tlsoptions->renegotiate_timeout > 0)
|
||||
{
|
||||
BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_timeout);
|
||||
BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_timeout);
|
||||
BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_timeout);
|
||||
BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_timeout);
|
||||
}
|
||||
|
||||
if (acptr->serv && acptr->serv->conf)
|
||||
@@ -665,7 +665,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
|
||||
SSL_set_tlsext_host_name(acptr->local->ssl, acptr->serv->conf->servername);
|
||||
}
|
||||
|
||||
acptr->flags |= FLAGS_SSL;
|
||||
acptr->flags |= FLAGS_TLS;
|
||||
|
||||
switch (ircd_SSL_connect(acptr, fd))
|
||||
{
|
||||
@@ -675,8 +675,8 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
|
||||
--OpenFiles;
|
||||
return;
|
||||
case 0:
|
||||
Debug((DEBUG_DEBUG, "SetSSLConnectHandshake(%s)", get_client_name(acptr, TRUE)));
|
||||
SetSSLConnectHandshake(acptr);
|
||||
Debug((DEBUG_DEBUG, "SetTLSConnectHandshake(%s)", get_client_name(acptr, TRUE)));
|
||||
SetTLSConnectHandshake(acptr);
|
||||
return;
|
||||
case 1:
|
||||
Debug((DEBUG_DEBUG, "SSL_init_finished should finish this job (%s)", get_client_name(acptr, TRUE)));
|
||||
@@ -935,7 +935,7 @@ int client_starttls(aClient *acptr)
|
||||
if ((acptr->local->ssl = SSL_new(ctx_client)) == NULL)
|
||||
goto fail_starttls;
|
||||
|
||||
acptr->flags |= FLAGS_SSL;
|
||||
acptr->flags |= FLAGS_TLS;
|
||||
|
||||
SSL_set_fd(acptr->local->ssl, acptr->fd);
|
||||
SSL_set_nonblocking(acptr->local->ssl);
|
||||
@@ -961,19 +961,19 @@ fail_starttls:
|
||||
/* Failure */
|
||||
sendnumeric(acptr, ERR_STARTTLS, "STARTTLS failed");
|
||||
acptr->local->ssl = NULL;
|
||||
acptr->flags &= ~FLAGS_SSL;
|
||||
acptr->flags &= ~FLAGS_TLS;
|
||||
SetUnknown(acptr);
|
||||
return 0; /* hm. we allow to continue anyway. not sure if we want that. */
|
||||
}
|
||||
|
||||
/** Find the appropriate SSLOptions structure for a client.
|
||||
/** Find the appropriate TLSOptions structure for a client.
|
||||
* NOTE: The default global SSL options will be returned if not found,
|
||||
* or NULL if no such options are available (unlikely, but possible?).
|
||||
*/
|
||||
SSLOptions *FindSSLOptionsForUser(aClient *acptr)
|
||||
TLSOptions *FindTLSOptionsForUser(aClient *acptr)
|
||||
{
|
||||
ConfigItem_sni *sni;
|
||||
SSLOptions *sslopt = iConf.ssl_options; /* default */
|
||||
TLSOptions *sslopt = iConf.tls_options; /* default */
|
||||
|
||||
if (!MyConnect(acptr) || !IsSecure(acptr))
|
||||
return NULL;
|
||||
@@ -984,7 +984,7 @@ SSLOptions *FindSSLOptionsForUser(aClient *acptr)
|
||||
sni = Find_sni(acptr->local->sni_servername);
|
||||
if (sni)
|
||||
{
|
||||
sslopt = sni->ssl_options;
|
||||
sslopt = sni->tls_options;
|
||||
}
|
||||
/* It is perfectly possible that 'name' is not found and 'sni' is NULL,
|
||||
* if a client used a hostname which we do not know about (eg: 'dummy').
|
||||
@@ -1200,23 +1200,23 @@ char *spki_fingerprint(aClient *cptr)
|
||||
/** Returns 1 if the client is using an outdated protocol or cipher, 0 otherwise */
|
||||
int outdated_tls_client(aClient *acptr)
|
||||
{
|
||||
SSLOptions *ssloptions = get_ssl_options_for_client(acptr);
|
||||
TLSOptions *tlsoptions = get_tls_options_for_client(acptr);
|
||||
char buf[1024], *name, *p;
|
||||
const char *client_protocol = SSL_get_version(acptr->local->ssl);
|
||||
const char *client_ciphersuite = SSL_get_cipher(acptr->local->ssl);
|
||||
int bad = 0;
|
||||
|
||||
if (!ssloptions)
|
||||
if (!tlsoptions)
|
||||
return 0; /* odd.. */
|
||||
|
||||
strlcpy(buf, ssloptions->outdated_protocols, sizeof(buf));
|
||||
strlcpy(buf, tlsoptions->outdated_protocols, sizeof(buf));
|
||||
for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ","))
|
||||
{
|
||||
if (!_match(name, client_protocol))
|
||||
return 1; /* outdated protocol */
|
||||
}
|
||||
|
||||
strlcpy(buf, ssloptions->outdated_ciphers, sizeof(buf));
|
||||
strlcpy(buf, tlsoptions->outdated_ciphers, sizeof(buf));
|
||||
for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ","))
|
||||
{
|
||||
if (!_match(name, client_ciphersuite))
|
||||
|
||||
@@ -129,7 +129,7 @@ char *url_getfilename(const char *url)
|
||||
* Sets up all of the SSL options necessary to support HTTPS/FTPS
|
||||
* transfers.
|
||||
*/
|
||||
static void set_curl_ssl_options(CURL *curl)
|
||||
static void set_curl_tls_options(CURL *curl)
|
||||
{
|
||||
char buf[512];
|
||||
|
||||
@@ -138,13 +138,13 @@ static void set_curl_ssl_options(CURL *curl)
|
||||
* But this information is not known yet since the configuration file has not been
|
||||
* parsed yet at this point.
|
||||
*/
|
||||
curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.ssl_options->certificate_file);
|
||||
curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.tls_options->certificate_file);
|
||||
if (SSLKeyPasswd)
|
||||
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, SSLKeyPasswd);
|
||||
curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.ssl_options->key_file);
|
||||
curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.tls_options->key_file);
|
||||
#endif
|
||||
|
||||
snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
|
||||
snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR);
|
||||
curl_easy_setopt(curl, CURLOPT_CAINFO, buf);
|
||||
}
|
||||
|
||||
@@ -218,7 +218,7 @@ char *download_file(const char *url, char **error)
|
||||
*/
|
||||
curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1);
|
||||
|
||||
set_curl_ssl_options(curl);
|
||||
set_curl_tls_options(curl);
|
||||
bzero(errorbuf, CURL_ERROR_SIZE);
|
||||
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuf);
|
||||
res = curl_easy_perform(curl);
|
||||
@@ -430,7 +430,7 @@ void download_file_async(const char *url, time_t cachetime, vFP callback, void *
|
||||
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, do_download);
|
||||
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)handle->fd);
|
||||
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
|
||||
set_curl_ssl_options(curl);
|
||||
set_curl_tls_options(curl);
|
||||
bzero(handle->errorbuf, CURL_ERROR_SIZE);
|
||||
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, handle->errorbuf);
|
||||
curl_easy_setopt(curl, CURLOPT_PRIVATE, (char *)handle);
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
@title Certificate Generation
|
||||
SET OPENSSL_CONF=ssl.cnf
|
||||
openssl ecparam -out server.key.pem -name secp384r1 -genkey
|
||||
openssl req -new -config ssl.cnf -out conf/ssl/server.req.pem -key conf/ssl/server.key.pem -nodes
|
||||
openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/ssl/server.req.pem -key conf/ssl/server.key.pem -out conf/ssl/server.cert.pem
|
||||
openssl req -new -config ssl.cnf -out conf/tls/server.req.pem -key conf/tls/server.key.pem -nodes
|
||||
openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/tls/server.req.pem -key conf/tls/server.key.pem -out conf/tls/server.cert.pem
|
||||
|
||||
|
||||
+1
-1
@@ -211,7 +211,7 @@ __EOF__
|
||||
echo ""
|
||||
echo "Thanks!"
|
||||
elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then
|
||||
CERT="@CONFDIR@/ssl/server.cert.pem"
|
||||
CERT="@CONFDIR@/tls/server.cert.pem"
|
||||
if [ "$2" != "" ]; then
|
||||
CERT="$2"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user