1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-10 04:23:12 +02:00

Mass rename of "ssl" to "tls" everywhere. Including conf/ssl to

conf/tls. If you are upgrading then conf/ssl will be renamed to
conf/tls and a symlink will be added (so certbot etc won't fail).
This is part 1...
This commit is contained in:
Bram Matthys
2019-08-12 14:26:31 +02:00
parent 86844c3c2b
commit 09cf485d6c
24 changed files with 334 additions and 324 deletions
+3 -3
View File
@@ -105,7 +105,7 @@ echo $CONF
$CONF || exit 1
cd "$UNREALCWD"
if [ "$QUICK" != "1" ] ; then
if [ ! -f $CONFDIR/ssl/server.cert.pem ]; then
if [ ! -f $CONFDIR/tls/server.cert.pem -a ! -f $CONFDIR/ssl/server.cert.pem ]; then
export OPENSSLPATH
TEST=""
while [ -z "$TEST" ] ; do
@@ -142,10 +142,10 @@ if [ "$GENCERTIFICATE" = 1 ]; then
sleep 1
else
echo "Ok, not generating SSL certificate. Make sure that the certificate and key"
echo "are installed in conf/ssl/server.crt.pem and conf/ssl/server.key.pem prior to starting the IRCd."
echo "are installed in conf/tls/server.crt.pem and conf/tls/server.key.pem prior to starting the IRCd."
fi
else
echo "SSL certificate exists in $CONFDIR/ssl/server.cert.pem, no need to regenerate."
echo "SSL certificate already exists in configuration directory, no need to regenerate."
fi
fi
+9 -2
View File
@@ -193,8 +193,6 @@ install: all
$(INSTALL) -m 0600 doc/conf/help/*.conf @CONFDIR@/help
$(INSTALL) -m 0700 -d @CONFDIR@/examples
$(INSTALL) -m 0600 doc/conf/examples/*.conf @CONFDIR@/examples
$(INSTALL) -m 0700 -d @CONFDIR@/ssl
$(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl
$(INSTALL) -m 0700 unrealircd @SCRIPTDIR@
$(INSTALL) -m 0700 -d @MODULESDIR@
$(INSTALL) -m 0700 src/modules/*.so @MODULESDIR@
@@ -206,6 +204,15 @@ install: all
$(INSTALL) -m 0700 src/modules/snomasks/*.so @MODULESDIR@/snomasks
$(INSTALL) -m 0700 -d @MODULESDIR@/extbans
$(INSTALL) -m 0700 src/modules/extbans/*.so @MODULESDIR@/extbans
@#If the conf/ssl directory exists then rename it here to conf/tls
@#and add a symlink for backwards compatibility (so that f.e. certbot
@#doesn't randomly fail after an upgrade to U5).
-@if [ -d "@CONFDIR@/ssl" ] ; then \
mv "@CONFDIR@/ssl" "@CONFDIR@/tls" ; \
ln -s "@CONFDIR@/tls" "@CONFDIR@/ssl" ; \
fi
$(INSTALL) -m 0700 -d @CONFDIR@/tls
$(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl
@# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades:
rm -rf @MODULESDIR@/cap
$(INSTALL) -m 0700 -d @MODULESDIR@/third
+4 -4
View File
@@ -63,7 +63,7 @@ struct zConfiguration {
unsigned ident_check:1;
unsigned fail_oper_warn:1;
unsigned show_connect_info:1;
unsigned no_connect_ssl_info:1;
unsigned no_connect_tls_info:1;
unsigned dont_resolve:1;
unsigned use_ban_version:1;
unsigned mkpasswd_for_everyone:1;
@@ -93,7 +93,7 @@ struct zConfiguration {
char *egd_path;
char *static_quit;
char *static_part;
SSLOptions *ssl_options;
TLSOptions *tls_options;
Policy plaintext_policy_user;
char *plaintext_policy_user_message;
Policy plaintext_policy_oper;
@@ -194,7 +194,7 @@ extern MODVAR int ipv6_disabled;
#define IDENT_CHECK iConf.ident_check
#define FAILOPER_WARN iConf.fail_oper_warn
#define SHOWCONNECTINFO iConf.show_connect_info
#define NOCONNECTSSLINFO iConf.no_connect_ssl_info
#define NOCONNECTSSLINFO iConf.no_connect_tls_info
#define OPER_ONLY_STATS iConf.oper_only_stats
#define ANTI_SPAM_QUIT_MSG_TIME iConf.anti_spam_quit_message_time
#ifdef HAVE_RAND_EGD
@@ -360,7 +360,7 @@ struct SetCheck {
unsigned has_options_fail_oper_warn:1;
unsigned has_options_dont_resolve:1;
unsigned has_options_show_connect_info:1;
unsigned has_options_no_connect_ssl_info:1;
unsigned has_options_no_connect_tls_info:1;
unsigned has_options_mkpasswd_for_everyone:1;
unsigned has_options_allow_insane_bans:1;
unsigned has_options_allow_part_if_shunned:1;
+2 -2
View File
@@ -526,7 +526,7 @@ extern time_t rfc2time(char *s);
extern char *rfctime(time_t t, char *buf);
extern void *MyMallocEx(size_t size);
extern MODFUNC char *ssl_get_cipher(SSL *ssl);
extern SSLOptions *get_ssl_options_for_client(aClient *acptr);
extern TLSOptions *get_tls_options_for_client(aClient *acptr);
extern int outdated_tls_client(aClient *acptr);
extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr);
extern long config_checkval(char *value, unsigned short flags);
@@ -815,7 +815,7 @@ extern int has_common_channels(aClient *c1, aClient *c2);
extern int user_can_see_member(aClient *user, aClient *target, aChannel *chptr);
extern int invisible_user_in_channel(aClient *target, aChannel *chptr);
extern MODVAR int ssl_client_index;
extern SSLOptions *FindSSLOptionsForUser(aClient *acptr);
extern TLSOptions *FindTLSOptionsForUser(aClient *acptr);
extern int IsWebsocket(aClient *acptr);
extern Policy policy_strtoval(char *s);
extern char *policy_valtostr(Policy policy);
+6 -6
View File
@@ -12,11 +12,11 @@ extern int ircd_SSL_connect(aClient *acptr, int fd);
extern int SSL_smart_shutdown(SSL *ssl);
extern void ircd_SSL_client_handshake(int, int, void *);
extern void SSL_set_nonblocking(SSL *s);
extern SSL_CTX *init_ctx(SSLOptions *ssloptions, int server);
extern SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server);
#define SSL_PROTOCOL_TLSV1 0x0001
#define SSL_PROTOCOL_TLSV1_1 0x0002
#define SSL_PROTOCOL_TLSV1_2 0x0004
#define SSL_PROTOCOL_TLSV1_3 0x0008
#define TLS_PROTOCOL_TLSV1 0x0001
#define TLS_PROTOCOL_TLSV1_1 0x0002
#define TLS_PROTOCOL_TLSV1_2 0x0004
#define TLS_PROTOCOL_TLSV1_3 0x0008
#define SSL_PROTOCOL_ALL 0xffff
#define TLS_PROTOCOL_ALL 0xffff
+30 -30
View File
@@ -247,9 +247,9 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define STAT_LOG -7 /* logfile for -x */
#define STAT_CONNECTING -6
#define STAT_SSL_STARTTLS_HANDSHAKE -8
#define STAT_SSL_CONNECT_HANDSHAKE -5
#define STAT_SSL_ACCEPT_HANDSHAKE -4
#define STAT_TLS_STARTTLS_HANDSHAKE -8
#define STAT_TLS_CONNECT_HANDSHAKE -5
#define STAT_TLS_ACCEPT_HANDSHAKE -4
#define STAT_HANDSHAKE -3
#define STAT_ME -2
#define STAT_UNKNOWN -1
@@ -264,18 +264,18 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define IsConnecting(x) ((x)->status == STAT_CONNECTING)
#define IsHandshake(x) ((x)->status == STAT_HANDSHAKE)
#define IsMe(x) ((x)->status == STAT_ME)
#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE))
#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE))
#define IsServer(x) ((x)->status == STAT_SERVER)
#define IsClient(x) ((x)->status == STAT_CLIENT)
#define IsLog(x) ((x)->status == STAT_LOG)
#define IsSSLStartTLSHandshake(x) ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE)
#define IsSSLAcceptHandshake(x) ((x)->status == STAT_SSL_ACCEPT_HANDSHAKE)
#define IsSSLConnectHandshake(x) ((x)->status == STAT_SSL_CONNECT_HANDSHAKE)
#define IsSSLHandshake(x) (IsSSLAcceptHandshake(x) || IsSSLConnectHandshake(x) | IsSSLStartTLSHandshake(x))
#define SetSSLStartTLSHandshake(x) ((x)->status = STAT_SSL_STARTTLS_HANDSHAKE)
#define SetSSLAcceptHandshake(x) ((x)->status = STAT_SSL_ACCEPT_HANDSHAKE)
#define SetSSLConnectHandshake(x) ((x)->status = STAT_SSL_CONNECT_HANDSHAKE)
#define IsStartTLSHandshake(x) ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE)
#define IsTLSAcceptHandshake(x) ((x)->status == STAT_TLS_ACCEPT_HANDSHAKE)
#define IsTLSConnectHandshake(x) ((x)->status == STAT_TLS_CONNECT_HANDSHAKE)
#define IsTLSHandshake(x) (IsTLSAcceptHandshake(x) || IsTLSConnectHandshake(x) | IsStartTLSHandshake(x))
#define SetStartTLSHandshake(x) ((x)->status = STAT_TLS_STARTTLS_HANDSHAKE)
#define SetTLSAcceptHandshake(x) ((x)->status = STAT_TLS_ACCEPT_HANDSHAKE)
#define SetTLSConnectHandshake(x) ((x)->status = STAT_TLS_CONNECT_HANDSHAKE)
#define SetConnecting(x) ((x)->status = STAT_CONNECTING)
#define SetHandshake(x) ((x)->status = STAT_HANDSHAKE)
@@ -312,7 +312,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define FLAGS_DCCNOTICE 0x00100000 /* Has the user seen a notice on how to use DCCALLOW already? */
#define FLAGS_SHUNNED 0x00200000 /* Connection is shunned */
#define FLAGS_VIRUS 0x00400000 /* Tagged by spamfilter */
#define FLAGS_SSL 0x00800000 /* Connection is using SSL/TLS */
#define FLAGS_TLS 0x00800000 /* Connection is using SSL/TLS */
#define FLAGS_NOFAKELAG 0x01000000 /* Exemption from fake lag */
#define FLAGS_DCCBLOCK 0x02000000 /* Block all DCC send requests */
#define FLAGS_MAP 0x04000000 /* Show this entry in /MAP */
@@ -388,7 +388,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define IsVirus(x) ((x)->flags & FLAGS_VIRUS)
#define SetVirus(x) ((x)->flags |= FLAGS_VIRUS)
#define ClearVirus(x) ((x)->flags &= ~FLAGS_VIRUS)
#define IsSecure(x) ((x)->flags & FLAGS_SSL)
#define IsSecure(x) ((x)->flags & FLAGS_TLS)
/* Fake lag exception */
#define IsNoFakeLag(x) ((x)->flags & FLAGS_NOFAKELAG)
@@ -398,7 +398,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia
#define IsHidden(x) ((x)->umodes & UMODE_HIDE)
#define IsSetHost(x) ((x)->umodes & UMODE_SETHOST)
#define IsHideOper(x) ((x)->umodes & UMODE_HIDEOPER)
#define IsSSL(x) IsSecure(x)
#define IsTLS(x) IsSecure(x)
#define IsNotSpoof(x) ((x)->local->nospoof == 0)
#define GetHost(x) (IsHidden(x) ? (x)->user->virthost : (x)->user->realhost)
@@ -825,13 +825,13 @@ extern void unload_all_unused_moddata(void);
#define LISTENER_NORMAL 0x000001
#define LISTENER_CLIENTSONLY 0x000002
#define LISTENER_SERVERSONLY 0x000004
#define LISTENER_SSL 0x000010
#define LISTENER_TLS 0x000010
#define LISTENER_BOUND 0x000020
#define LISTENER_DEFER_ACCEPT 0x000040
#define IsServersOnlyListener(x) ((x) && ((x)->options & LISTENER_SERVERSONLY))
#define CONNECT_SSL 0x000001
#define CONNECT_TLS 0x000001
//0x000002 unused (was ziplinks)
#define CONNECT_AUTO 0x000004
#define CONNECT_QUARANTINE 0x000008
@@ -839,9 +839,9 @@ extern void unload_all_unused_moddata(void);
#define CONNECT_NOHOSTCHECK 0x000020
#define CONNECT_INSECURE 0x000040
#define SSLFLAG_FAILIFNOCERT 0x1
#define SSLFLAG_NOSTARTTLS 0x8
#define SSLFLAG_DISABLECLIENTCERT 0x10
#define TLSFLAG_FAILIFNOCERT 0x1
#define TLSFLAG_NOSTARTTLS 0x8
#define TLSFLAG_DISABLECLIENTCERT 0x10
struct Client {
struct list_head client_node; /* for global client list (client_list) */
@@ -1090,7 +1090,7 @@ struct _configitem_class {
struct _configflag_allow {
unsigned noident :1;
unsigned useip :1;
unsigned ssl :1;
unsigned tls :1;
};
struct _configitem_allow {
@@ -1167,13 +1167,13 @@ struct _configitem_oper {
int maxlogins;
};
/** The SSL options that are used in set::ssl and otherblocks::ssl-options.
/** The SSL/TLS options that are used in set::tls and otherblocks::tls-options.
* NOTE: If you add something here then you must also update the
* conf_sslblock() function in s_conf.c to have it inherited
* from set::ssl to the other config blocks!
* conf_tlsblock() function in s_conf.c to have it inherited
* from set::tls to the other config blocks!
*/
typedef struct _ssloptions SSLOptions;
struct _ssloptions {
typedef struct _tlsoptions TLSOptions;
struct _tlsoptions {
char *certificate_file;
char *key_file;
char *dh_file;
@@ -1209,7 +1209,7 @@ struct _configitem_ulines {
char *servername;
};
#define TLD_SSL 0x1
#define TLD_TLS 0x1
#define TLD_REMOTE 0x2
struct _configitem_tld {
@@ -1231,7 +1231,7 @@ struct _configitem_listen {
int fd;
int ipv6;
SSL_CTX *ssl_ctx;
SSLOptions *ssl_options;
TLSOptions *tls_options;
};
struct _configitem_sni {
@@ -1239,7 +1239,7 @@ struct _configitem_sni {
ConfigFlag flag;
char *name;
SSL_CTX *ssl_ctx;
SSLOptions *ssl_options;
TLSOptions *tls_options;
};
struct _configitem_vhost {
@@ -1263,7 +1263,7 @@ struct _configitem_link {
char *bind_ip; /**< Our IP to bind to when doing the connect */
char *hostname; /**< Hostname or IP to connect to */
int port; /**< Port to connect to */
int options; /**< Connect options like ssl or autoconnect */
int options; /**< Connect options like tls or autoconnect */
} outgoing;
anAuthStruct *auth; /**< authentication method (eg: password) */
char *hub; /**< Hub mask */
@@ -1277,7 +1277,7 @@ struct _configitem_link {
time_t hold; /**< For how long the server is "on hold" for outgoing connects (why?) */
char *connect_ip; /**< actual IP to use for outgoing connect (filled in after host is resolved) */
SSL_CTX *ssl_ctx; /**< SSL Context for outgoing connection (optional) */
SSLOptions *ssl_options; /**< SSL Options for outgoing connection (optional) */
TLSOptions *tls_options; /**< SSL Options for outgoing connection (optional) */
};
struct _configitem_except {
+8 -8
View File
@@ -432,7 +432,7 @@ void close_listener(ConfigItem_listen *listener)
ircd_log(LOG_ERROR, "IRCd no longer listening on %s:%d (%s)%s",
listener->ip, listener->port,
listener->ipv6 ? "IPv6" : "IPv4",
listener->options & LISTENER_SSL ? " (SSL)" : "");
listener->options & LISTENER_TLS ? " (SSL)" : "");
fd_close(listener->fd);
--OpenFiles;
}
@@ -753,7 +753,7 @@ void close_connection(aClient *cptr)
if (cptr->fd >= 0)
{
send_queued(cptr);
if (IsSSL(cptr) && cptr->local->ssl) {
if (IsTLS(cptr) && cptr->local->ssl) {
SSL_set_shutdown(cptr->local->ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(cptr->local->ssl);
SSL_free(cptr->local->ssl);
@@ -1042,19 +1042,19 @@ refuse_client:
list_add(&acptr->lclient_node, &unknown_list);
if ((listener->options & LISTENER_SSL) && ctx_server)
if ((listener->options & LISTENER_TLS) && ctx_server)
{
SSL_CTX *ctx = listener->ssl_ctx ? listener->ssl_ctx : ctx_server;
if (ctx)
{
SetSSLAcceptHandshake(acptr);
SetTLSAcceptHandshake(acptr);
Debug((DEBUG_DEBUG, "Starting SSL accept handshake for %s", acptr->local->sockhost));
if ((acptr->local->ssl = SSL_new(ctx)) == NULL)
{
goto refuse_client;
}
acptr->flags |= FLAGS_SSL;
acptr->flags |= FLAGS_TLS;
SSL_set_fd(acptr->local->ssl, fd);
SSL_set_nonblocking(acptr->local->ssl);
SSL_set_ex_data(acptr->local->ssl, ssl_client_index, acptr);
@@ -1234,7 +1234,7 @@ void read_packet(int fd, int revents, void *data)
while (1)
{
if (IsSSL(cptr) && cptr->local->ssl != NULL)
if (IsTLS(cptr) && cptr->local->ssl != NULL)
{
length = SSL_read(cptr->local->ssl, readbuf, sizeof(readbuf));
@@ -1482,9 +1482,9 @@ int connect_server(ConfigItem_link *aconf, aClient *by, struct hostent *hp)
set_sockhost(cptr, aconf->outgoing.hostname);
add_client_to_list(cptr);
if (aconf->outgoing.options & CONNECT_SSL)
if (aconf->outgoing.options & CONNECT_TLS)
{
SetSSLConnectHandshake(cptr);
SetTLSConnectHandshake(cptr);
fd_setselect(cptr->fd, FD_SELECT_WRITE, ircd_SSL_client_handshake, cptr);
}
else
+164 -161
View File
@@ -141,8 +141,9 @@ static NameValue _ListenerFlags[] = {
{ LISTENER_CLIENTSONLY, "clientsonly"},
{ LISTENER_DEFER_ACCEPT, "defer-accept"},
{ LISTENER_SERVERSONLY, "serversonly"},
{ LISTENER_SSL, "ssl"},
{ LISTENER_TLS, "ssl"},
{ LISTENER_NORMAL, "standard"},
{ LISTENER_TLS, "tls"},
};
/* This MUST be alphabetized */
@@ -150,7 +151,8 @@ static NameValue _LinkFlags[] = {
{ CONNECT_AUTO, "autoconnect" },
{ CONNECT_INSECURE, "insecure" },
{ CONNECT_QUARANTINE, "quarantine"},
{ CONNECT_SSL, "ssl" },
{ CONNECT_TLS, "ssl" },
{ CONNECT_TLS, "tls" },
};
/* This MUST be alphabetized */
@@ -179,10 +181,10 @@ static NameValue ExceptTklFlags[] = {
};
/* This MUST be alphabetized */
static NameValue _SSLFlags[] = {
{ SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
{ SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" },
{ SSLFLAG_NOSTARTTLS, "no-starttls" },
static NameValue _TLSFlags[] = {
{ TLSFLAG_FAILIFNOCERT, "fail-if-no-clientcert" },
{ TLSFLAG_DISABLECLIENTCERT, "no-client-certificate" },
{ TLSFLAG_NOSTARTTLS, "no-starttls" },
};
struct {
@@ -229,12 +231,12 @@ extern void unload_all_unused_history_backends(void);
int reloadable_perm_module_unloaded(void);
int ssl_tests(void);
int tls_tests(void);
/* Conf sub-sub-functions */
void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors);
void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions);
void free_ssl_options(SSLOptions *ssloptions);
void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors);
void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions);
void free_tls_options(TLSOptions *tlsoptions);
/*
* Config parser (IRCd)
@@ -289,7 +291,7 @@ int config_verbose = 0;
MODVAR int need_34_upgrade = 0;
int need_operclass_permissions_upgrade = 0;
int have_ssl_listeners = 0;
int have_tls_listeners = 0;
char *port_6667_ip = NULL;
void add_include(const char *filename, const char *included_from, int included_from_line);
@@ -1441,10 +1443,10 @@ void free_iConf(aConfiguration *i)
safefree(i->channel_command_prefix);
safefree(i->oper_snomask);
safefree(i->static_quit);
if (i->ssl_options)
if (i->tls_options)
{
free_ssl_options(i->ssl_options);
i->ssl_options = NULL;
free_tls_options(i->tls_options);
i->tls_options = NULL;
}
safefree(i->restrict_usermodes);
safefree(i->restrict_channelmodes);
@@ -1524,25 +1526,25 @@ void config_setdefaultsettings(aConfiguration *i)
i->broadcast_channel_messages = BROADCAST_CHANNEL_MESSAGES_AUTO;
/* SSL/TLS options */
i->ssl_options = MyMallocEx(sizeof(SSLOptions));
snprintf(tmp, sizeof(tmp), "%s/ssl/server.cert.pem", CONFDIR);
i->ssl_options->certificate_file = strdup(tmp);
snprintf(tmp, sizeof(tmp), "%s/ssl/server.key.pem", CONFDIR);
i->ssl_options->key_file = strdup(tmp);
snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
i->ssl_options->trusted_ca_file = strdup(tmp);
i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
i->ssl_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
i->ssl_options->protocols = SSL_PROTOCOL_ALL;
i->tls_options = MyMallocEx(sizeof(TLSOptions));
snprintf(tmp, sizeof(tmp), "%s/tls/server.cert.pem", CONFDIR);
i->tls_options->certificate_file = strdup(tmp);
snprintf(tmp, sizeof(tmp), "%s/tls/server.key.pem", CONFDIR);
i->tls_options->key_file = strdup(tmp);
snprintf(tmp, sizeof(tmp), "%s/tls/curl-ca-bundle.crt", CONFDIR);
i->tls_options->trusted_ca_file = strdup(tmp);
i->tls_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS);
i->tls_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES);
i->tls_options->protocols = TLS_PROTOCOL_ALL;
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
i->tls_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES);
#endif
i->ssl_options->outdated_protocols = strdup("TLSv1,TLSv1.1");
i->tls_options->outdated_protocols = strdup("TLSv1,TLSv1.1");
/* the following may look strange but "AES*" matches all
* AES ciphersuites that do not have Forward Secrecy.
* Any decent client using AES will use ECDHE-xx-AES.
*/
i->ssl_options->outdated_ciphers = strdup("AES*,RC4*,DES*");
i->tls_options->outdated_ciphers = strdup("AES*,RC4*,DES*");
i->plaintext_policy_user = POLICY_ALLOW;
i->plaintext_policy_oper = POLICY_DENY;
@@ -1773,7 +1775,7 @@ void config_test_reset(void)
int config_test_all(void)
{
if ((config_test() < 0) || (callbacks_check() < 0) || (efunctions_check() < 0) ||
reloadable_perm_module_unloaded() || !ssl_tests())
reloadable_perm_module_unloaded() || !tls_tests())
{
return 0;
}
@@ -2424,12 +2426,12 @@ void config_rehash()
}
conf_offchans = NULL;
/* Free sni { } blocks */
/* Free sni { } blocks */
for (sni = conf_sni; sni; sni = (ConfigItem_sni *)next)
{
next = (ListStruct *)sni->next;
SSL_CTX_free(sni->ssl_ctx);
free_ssl_options(sni->ssl_options);
free_tls_options(sni->tls_options);
safefree(sni->name);
MyFree(sni);
}
@@ -2892,7 +2894,7 @@ ConfigItem_tld *Find_tld(aClient *cptr)
{
if (match_user(tld->mask, cptr, MATCH_CHECK_REAL))
{
if ((tld->options & TLD_SSL) && !IsSecureConnect(cptr))
if ((tld->options & TLD_TLS) && !IsSecureConnect(cptr))
continue;
if ((tld->options & TLD_REMOTE) && MyClient(cptr))
continue;
@@ -4479,8 +4481,8 @@ int _conf_tld(ConfigFile *conf, ConfigEntry *ce)
ConfigEntry *cepp;
for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next)
{
if (!strcmp(cepp->ce_varname, "ssl"))
ca->options |= TLD_SSL;
if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
ca->options |= TLD_TLS;
else if (!strcmp(cepp->ce_varname, "remote"))
ca->options |= TLD_REMOTE;
}
@@ -4651,7 +4653,8 @@ int _test_tld(ConfigFile *conf, ConfigEntry *ce)
for (cep2 = cep->ce_entries; cep2; cep2 = cep2->ce_next)
{
if (strcmp(cep2->ce_varname, "ssl") &&
strcmp(cep2->ce_varname, "remote"))
strcmp(cep2->ce_varname, "tls") &&
strcmp(cep2->ce_varname, "remote"))
{
config_error_unknownopt(cep2->ce_fileptr->cf_filename,
cep2->ce_varlinenum, "tld", cep2->ce_varname);
@@ -4692,7 +4695,7 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
{
ConfigEntry *cep;
ConfigEntry *cepp;
ConfigEntry *sslconfig = NULL;
ConfigEntry *tlsconfig = NULL;
ConfigItem_listen *listen = NULL;
char *ip = NULL;
int start=0, end=0, port, isnew;
@@ -4720,9 +4723,9 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
tmpflags |= ofp->flag;
}
} else
if (!strcmp(cep->ce_varname, "ssl-options"))
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
{
sslconfig = cep;
tlsconfig = cep;
} else
{
for (h = Hooks[HOOKTYPE_CONFIGRUN]; h; h = h->next)
@@ -4763,17 +4766,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
listen->ssl_ctx = NULL;
}
if (listen->ssl_options)
if (listen->tls_options)
{
free_ssl_options(listen->ssl_options);
listen->ssl_options = NULL;
free_tls_options(listen->tls_options);
listen->tls_options = NULL;
}
if (sslconfig)
if (tlsconfig)
{
listen->ssl_options = MyMallocEx(sizeof(SSLOptions));
conf_sslblock(conf, sslconfig, listen->ssl_options);
listen->ssl_ctx = init_ctx(listen->ssl_options, 1);
listen->tls_options = MyMallocEx(sizeof(TLSOptions));
conf_tlsblock(conf, tlsconfig, listen->tls_options);
listen->ssl_ctx = init_ctx(listen->tls_options, 1);
}
}
@@ -4807,17 +4810,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce)
listen->ssl_ctx = NULL;
}
if (listen->ssl_options)
if (listen->tls_options)
{
free_ssl_options(listen->ssl_options);
listen->ssl_options = NULL;
free_tls_options(listen->tls_options);
listen->tls_options = NULL;
}
if (sslconfig)
if (tlsconfig)
{
listen->ssl_options = MyMallocEx(sizeof(SSLOptions));
conf_sslblock(conf, sslconfig, listen->ssl_options);
listen->ssl_ctx = init_ctx(listen->ssl_options, 1);
listen->tls_options = MyMallocEx(sizeof(TLSOptions));
conf_tlsblock(conf, tlsconfig, listen->tls_options);
listen->ssl_ctx = init_ctx(listen->tls_options, 1);
}
}
}
@@ -4895,14 +4898,14 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce)
errors++;
continue;
}
if (!strcmp(cepp->ce_varname, "ssl"))
have_ssl_listeners = 1; /* for ssl config test */
if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
have_tls_listeners = 1; /* for ssl config test */
}
}
else
if (!strcmp(cep->ce_varname, "ssl-options"))
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
{
test_sslblock(conf, cep, &errors);
test_tlsblock(conf, cep, &errors);
}
else
if (!cep->ce_vardata)
@@ -5080,8 +5083,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce)
allow->flags.noident = 1;
else if (!strcmp(cepp->ce_varname, "useip"))
allow->flags.useip = 1;
else if (!strcmp(cepp->ce_varname, "ssl"))
allow->flags.ssl = 1;
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
allow->flags.tls = 1;
}
}
}
@@ -5277,7 +5280,7 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce)
{}
else if (!strcmp(cepp->ce_varname, "useip"))
{}
else if (!strcmp(cepp->ce_varname, "ssl"))
else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls"))
{}
else if (!strcmp(cepp->ce_varname, "sasl"))
{
@@ -6061,7 +6064,7 @@ int _test_vhost(ConfigFile *conf, ConfigEntry *ce)
int _test_sni(ConfigFile *conf, ConfigEntry *ce)
{
int errors = 0;
ConfigEntry *cep, *sslconfig = NULL;
ConfigEntry *cep, *tlsconfig = NULL;
if (!ce->ce_vardata)
{
@@ -6072,9 +6075,9 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce)
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (!strcmp(cep->ce_varname, "ssl-options"))
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
{
test_sslblock(conf, cep, &errors);
test_tlsblock(conf, cep, &errors);
} else
{
config_error_unknown(cep->ce_fileptr->cf_filename, cep->ce_varlinenum,
@@ -6090,7 +6093,7 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce)
int _conf_sni(ConfigFile *conf, ConfigEntry *ce)
{
ConfigEntry *cep;
ConfigEntry *sslconfig = NULL;
ConfigEntry *tlsconfig = NULL;
char *name;
ConfigItem_sni *sni = NULL;
@@ -6100,20 +6103,20 @@ int _conf_sni(ConfigFile *conf, ConfigEntry *ce)
for (cep = ce->ce_entries; cep; cep = cep->ce_next)
{
if (!strcmp(cep->ce_varname, "ssl-options"))
if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options"))
{
sslconfig = cep;
tlsconfig = cep;
}
}
if (!sslconfig)
if (!tlsconfig)
return 0;
sni = MyMallocEx(sizeof(ConfigItem_listen));
sni->name = strdup(name);
sni->ssl_options = MyMallocEx(sizeof(SSLOptions));
conf_sslblock(conf, sslconfig, sni->ssl_options);
sni->ssl_ctx = init_ctx(sni->ssl_options, 1);
sni->tls_options = MyMallocEx(sizeof(TLSOptions));
conf_tlsblock(conf, tlsconfig, sni->tls_options);
sni->ssl_ctx = init_ctx(sni->tls_options, 1);
AddListItem(sni, conf_sni);
return 1;
@@ -6333,11 +6336,11 @@ int _conf_link(ConfigFile *conf, ConfigEntry *ce)
link->outgoing.options |= ofp->flag;
}
}
else if (!strcmp(cepp->ce_varname, "ssl-options"))
else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options"))
{
link->ssl_options = MyMallocEx(sizeof(SSLOptions));
conf_sslblock(conf, cepp, link->ssl_options);
link->ssl_ctx = init_ctx(link->ssl_options, 0);
link->tls_options = MyMallocEx(sizeof(TLSOptions));
conf_tlsblock(conf, cepp, link->tls_options);
link->ssl_ctx = init_ctx(link->tls_options, 0);
}
}
}
@@ -6495,7 +6498,7 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
{
if (!strcmp(ceppp->ce_varname, "autoconnect"))
;
else if (!strcmp(ceppp->ce_varname, "ssl"))
else if (!strcmp(ceppp->ce_varname, "ssl") || strcmp(ceppp->ce_varname, "tls"))
;
else if (!strcmp(ceppp->ce_varname, "insecure"))
;
@@ -6508,9 +6511,9 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
// TODO: validate more options (?) and use list rather than code here...
}
}
else if (!strcmp(cepp->ce_varname, "ssl-options"))
else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options"))
{
test_sslblock(conf, cepp, &errors);
test_tlsblock(conf, cepp, &errors);
}
else
{
@@ -6997,7 +7000,7 @@ int _test_require(ConfigFile *conf, ConfigEntry *ce)
#define CheckNullAllowEmpty(x) if ((!(x)->ce_vardata)) { config_error("%s:%i: missing parameter", (x)->ce_fileptr->cf_filename, (x)->ce_varlinenum); errors++; continue; }
#define CheckDuplicate(cep, name, display) if (settings.has_##name) { config_warn_duplicate((cep)->ce_fileptr->cf_filename, cep->ce_varlinenum, "set::" display); continue; } else settings.has_##name = 1
void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
{
ConfigEntry *cepp, *ceppp;
int errors = 0;
@@ -7050,15 +7053,15 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
}
if (!stricmp(name, "All"))
option = SSL_PROTOCOL_ALL;
option = TLS_PROTOCOL_ALL;
else if (!stricmp(name, "TLSv1"))
option = SSL_PROTOCOL_TLSV1;
option = TLS_PROTOCOL_TLSV1;
else if (!stricmp(name, "TLSv1.1"))
option = SSL_PROTOCOL_TLSV1_1;
option = TLS_PROTOCOL_TLSV1_1;
else if (!stricmp(name, "TLSv1.2"))
option = SSL_PROTOCOL_TLSV1_2;
option = TLS_PROTOCOL_TLSV1_2;
else if (!stricmp(name, "TLSv1.3"))
option = SSL_PROTOCOL_TLSV1_3;
option = TLS_PROTOCOL_TLSV1_3;
else
{
#ifdef SSL_OP_NO_TLSv1_3
@@ -7108,9 +7111,9 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
else if (!strcmp(cepp->ce_varname, "options"))
{
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
if (!config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags)))
if (!config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags)))
{
config_error("%s:%i: unknown SSL flag '%s'",
config_error("%s:%i: unknown SSL/TLS option '%s'",
ceppp->ce_fileptr->cf_filename,
ceppp->ce_varlinenum, ceppp->ce_varname);
errors ++;
@@ -7178,48 +7181,48 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
*totalerrors += errors;
}
void free_ssl_options(SSLOptions *ssloptions)
void free_tls_options(TLSOptions *tlsoptions)
{
if (!ssloptions)
if (!tlsoptions)
return;
safefree(ssloptions->certificate_file);
safefree(ssloptions->key_file);
safefree(ssloptions->dh_file);
safefree(ssloptions->trusted_ca_file);
safefree(ssloptions->ciphers);
safefree(ssloptions->ciphersuites);
safefree(ssloptions->ecdh_curves);
safefree(ssloptions->outdated_protocols);
safefree(ssloptions->outdated_ciphers);
memset(ssloptions, 0, sizeof(SSLOptions));
MyFree(ssloptions);
safefree(tlsoptions->certificate_file);
safefree(tlsoptions->key_file);
safefree(tlsoptions->dh_file);
safefree(tlsoptions->trusted_ca_file);
safefree(tlsoptions->ciphers);
safefree(tlsoptions->ciphersuites);
safefree(tlsoptions->ecdh_curves);
safefree(tlsoptions->outdated_protocols);
safefree(tlsoptions->outdated_ciphers);
memset(tlsoptions, 0, sizeof(TLSOptions));
MyFree(tlsoptions);
}
void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions)
{
ConfigEntry *cepp, *ceppp;
NameValue *ofl;
/* First, inherit settings from set::options::ssl */
if (ssloptions != tempiConf.ssl_options)
/* First, inherit settings from set::options::tls */
if (tlsoptions != tempiConf.tls_options)
{
safestrdup(ssloptions->certificate_file, tempiConf.ssl_options->certificate_file);
safestrdup(ssloptions->key_file, tempiConf.ssl_options->key_file);
safestrdup(ssloptions->dh_file, tempiConf.ssl_options->dh_file);
safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file);
ssloptions->protocols = tempiConf.ssl_options->protocols;
safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers);
safestrdup(ssloptions->ciphersuites, tempiConf.ssl_options->ciphersuites);
safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves);
safestrdup(ssloptions->outdated_protocols, tempiConf.ssl_options->outdated_protocols);
safestrdup(ssloptions->outdated_ciphers, tempiConf.ssl_options->outdated_ciphers);
ssloptions->options = tempiConf.ssl_options->options;
ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes;
ssloptions->renegotiate_timeout = tempiConf.ssl_options->renegotiate_timeout;
ssloptions->sts_port = tempiConf.ssl_options->sts_port;
ssloptions->sts_duration = tempiConf.ssl_options->sts_duration;
ssloptions->sts_preload = tempiConf.ssl_options->sts_preload;
safestrdup(tlsoptions->certificate_file, tempiConf.tls_options->certificate_file);
safestrdup(tlsoptions->key_file, tempiConf.tls_options->key_file);
safestrdup(tlsoptions->dh_file, tempiConf.tls_options->dh_file);
safestrdup(tlsoptions->trusted_ca_file, tempiConf.tls_options->trusted_ca_file);
tlsoptions->protocols = tempiConf.tls_options->protocols;
safestrdup(tlsoptions->ciphers, tempiConf.tls_options->ciphers);
safestrdup(tlsoptions->ciphersuites, tempiConf.tls_options->ciphersuites);
safestrdup(tlsoptions->ecdh_curves, tempiConf.tls_options->ecdh_curves);
safestrdup(tlsoptions->outdated_protocols, tempiConf.tls_options->outdated_protocols);
safestrdup(tlsoptions->outdated_ciphers, tempiConf.tls_options->outdated_ciphers);
tlsoptions->options = tempiConf.tls_options->options;
tlsoptions->renegotiate_bytes = tempiConf.tls_options->renegotiate_bytes;
tlsoptions->renegotiate_timeout = tempiConf.tls_options->renegotiate_timeout;
tlsoptions->sts_port = tempiConf.tls_options->sts_port;
tlsoptions->sts_duration = tempiConf.tls_options->sts_duration;
tlsoptions->sts_preload = tempiConf.tls_options->sts_preload;
}
/* Now process the options */
@@ -7227,15 +7230,15 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
{
if (!strcmp(cepp->ce_varname, "ciphers") || !strcmp(cepp->ce_varname, "server-cipher-list"))
{
safestrdup(ssloptions->ciphers, cepp->ce_vardata);
safestrdup(tlsoptions->ciphers, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "ciphersuites"))
{
safestrdup(ssloptions->ciphersuites, cepp->ce_vardata);
safestrdup(tlsoptions->ciphersuites, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "ecdh-curves"))
{
safestrdup(ssloptions->ecdh_curves, cepp->ce_vardata);
safestrdup(tlsoptions->ecdh_curves, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "protocols"))
{
@@ -7244,7 +7247,7 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
char modifier;
strlcpy(copy, cepp->ce_vardata, sizeof(copy));
ssloptions->protocols = 0;
tlsoptions->protocols = 0;
for (name = strtoken(&p, copy, ","); name; name = strtoken(&p, NULL, ","))
{
modifier = '\0';
@@ -7257,24 +7260,24 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
}
if (!stricmp(name, "All"))
option = SSL_PROTOCOL_ALL;
option = TLS_PROTOCOL_ALL;
else if (!stricmp(name, "TLSv1"))
option = SSL_PROTOCOL_TLSV1;
option = TLS_PROTOCOL_TLSV1;
else if (!stricmp(name, "TLSv1.1"))
option = SSL_PROTOCOL_TLSV1_1;
option = TLS_PROTOCOL_TLSV1_1;
else if (!stricmp(name, "TLSv1.2"))
option = SSL_PROTOCOL_TLSV1_2;
option = TLS_PROTOCOL_TLSV1_2;
else if (!stricmp(name, "TLSv1.3"))
option = SSL_PROTOCOL_TLSV1_3;
option = TLS_PROTOCOL_TLSV1_3;
if (option)
{
if (modifier == '\0')
ssloptions->protocols = option;
tlsoptions->protocols = option;
else if (modifier == '+')
ssloptions->protocols |= option;
tlsoptions->protocols |= option;
else if (modifier == '-')
ssloptions->protocols &= ~option;
tlsoptions->protocols &= ~option;
}
}
}
@@ -7285,50 +7288,50 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions)
else if (!strcmp(cepp->ce_varname, "certificate"))
{
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
safestrdup(ssloptions->certificate_file, cepp->ce_vardata);
safestrdup(tlsoptions->certificate_file, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "key"))
{
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
safestrdup(ssloptions->key_file, cepp->ce_vardata);
safestrdup(tlsoptions->key_file, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "trusted-ca-file"))
{
convert_to_absolute_path(&cepp->ce_vardata, CONFDIR);
safestrdup(ssloptions->trusted_ca_file, cepp->ce_vardata);
safestrdup(tlsoptions->trusted_ca_file, cepp->ce_vardata);
}
else if (!strcmp(cepp->ce_varname, "renegotiate-bytes"))
{
ssloptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE);
tlsoptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE);
}
else if (!strcmp(cepp->ce_varname, "renegotiate-timeout"))
{
ssloptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME);
tlsoptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME);
}
else if (!strcmp(cepp->ce_varname, "options"))
{
ssloptions->options = 0;
tlsoptions->options = 0;
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
{
ofl = config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags));
ofl = config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags));
if (ofl) /* this should always be true */
ssloptions->options |= ofl->flag;
tlsoptions->options |= ofl->flag;
}
}
else if (!strcmp(cepp->ce_varname, "sts-policy"))
{
/* We do not inherit ::sts-policy if there is a specific block for this one... */
ssloptions->sts_port = 0;
ssloptions->sts_duration = 0;
ssloptions->sts_preload = 0;
tlsoptions->sts_port = 0;
tlsoptions->sts_duration = 0;
tlsoptions->sts_preload = 0;
for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next)
{
if (!strcmp(ceppp->ce_varname, "port"))
ssloptions->sts_port = atoi(ceppp->ce_vardata);
tlsoptions->sts_port = atoi(ceppp->ce_vardata);
else if (!strcmp(ceppp->ce_varname, "duration"))
ssloptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME);
tlsoptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME);
else if (!strcmp(ceppp->ce_varname, "preload"))
ssloptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO);
tlsoptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO);
}
}
}
@@ -7628,8 +7631,8 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
else if (!strcmp(cepp->ce_varname, "show-connect-info")) {
tempiConf.show_connect_info = 1;
}
else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) {
tempiConf.no_connect_ssl_info = 1;
else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) {
tempiConf.no_connect_tls_info = 1;
}
else if (!strcmp(cepp->ce_varname, "dont-resolve")) {
tempiConf.dont_resolve = 1;
@@ -7742,9 +7745,9 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce)
int v = atoi(cep->ce_vardata);
tempiConf.quit_length = v;
}
else if (!strcmp(cep->ce_varname, "ssl")) {
/* no need to alloc tempiConf.ssl_options since config_defaults() already ensures it exists */
conf_sslblock(conf, cep, tempiConf.ssl_options);
else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) {
/* no need to alloc tempiConf.tls_options since config_defaults() already ensures it exists */
conf_tlsblock(conf, cep, tempiConf.tls_options);
}
else if (!strcmp(cep->ce_varname, "plaintext-policy"))
{
@@ -8529,8 +8532,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
else if (!strcmp(cepp->ce_varname, "show-connect-info")) {
CheckDuplicate(cepp, options_show_connect_info, "options::show-connect-info");
}
else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) {
CheckDuplicate(cepp, options_no_connect_ssl_info, "options::no-connect-ssl-info");
else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) {
CheckDuplicate(cepp, options_no_connect_tls_info, "options::no-connect-tls-info");
}
else if (!strcmp(cepp->ce_varname, "dont-resolve")) {
CheckDuplicate(cepp, options_dont_resolve, "options::dont-resolve");
@@ -8780,8 +8783,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce)
errors++;
}
}
else if (!strcmp(cep->ce_varname, "ssl")) {
test_sslblock(conf, cep, &errors);
else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) {
test_tlsblock(conf, cep, &errors);
}
else if (!strcmp(cep->ce_varname, "plaintext-policy"))
{
@@ -9147,16 +9150,16 @@ void start_listeners(void)
ircd_log(LOG_ERROR, "UnrealIRCd is now also listening on %s:%d (%s)%s",
listenptr->ip, listenptr->port,
listenptr->ipv6 ? "IPv6" : "IPv4",
listenptr->options & LISTENER_SSL ? " (SSL)" : "");
listenptr->options & LISTENER_TLS ? " (SSL/TLS)" : "");
} else {
if (listenptr->ipv6)
snprintf(boundmsg_ipv6+strlen(boundmsg_ipv6), sizeof(boundmsg_ipv6)-strlen(boundmsg_ipv6),
"%s:%d%s, ", listenptr->ip, listenptr->port,
listenptr->options & LISTENER_SSL ? "(SSL)" : "");
listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : "");
else
snprintf(boundmsg_ipv4+strlen(boundmsg_ipv4), sizeof(boundmsg_ipv4)-strlen(boundmsg_ipv4),
"%s:%d%s, ", listenptr->ip, listenptr->port,
listenptr->options & LISTENER_SSL ? "(SSL)" : "");
listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : "");
}
}
}
@@ -10212,10 +10215,10 @@ void link_cleanup(ConfigItem_link *link_ptr)
SSL_CTX_free(link_ptr->ssl_ctx);
link_ptr->ssl_ctx = NULL;
}
if (link_ptr->ssl_options)
if (link_ptr->tls_options)
{
free_ssl_options(link_ptr->ssl_options);
link_ptr->ssl_options = NULL;
free_tls_options(link_ptr->tls_options);
link_ptr->tls_options = NULL;
}
}
@@ -10259,7 +10262,7 @@ void listen_cleanup()
if (listen_ptr->flag.temporary && !listen_ptr->clients)
{
safefree(listen_ptr->ip);
free_ssl_options(listen_ptr->ssl_options);
free_tls_options(listen_ptr->tls_options);
DelListItem(listen_ptr, conf_listen);
MyFree(listen_ptr);
i++;
@@ -10547,12 +10550,12 @@ void load_includes(void)
inc->flag.type &= ~INCLUDE_NOTLOADED;
}
int ssl_tests(void)
int tls_tests(void)
{
if (have_ssl_listeners == 0)
if (have_tls_listeners == 0)
{
config_error("Your server is not listening on any SSL ports.");
config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { ssl; }; };",
config_error("Your server is not listening on any SSL/TLS ports.");
config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { tls; }; };",
port_6667_ip ? port_6667_ip : "*");
config_status("See https://www.unrealircd.org/docs/FAQ#Your_server_is_not_listening_on_any_SSL_ports");
return 0;
+1 -1
View File
@@ -458,7 +458,7 @@ SSL_CTX *crashreport_init_ssl(void)
SSL_CTX_set_options(ctx_client, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
/* Verify peer certificate */
snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR);
SSL_CTX_load_verify_locations(ctx_client, buf, NULL);
SSL_CTX_set_verify(ctx_client, SSL_VERIFY_PEER, NULL);
+3 -3
View File
@@ -510,7 +510,7 @@ int check_ping(aClient *cptr)
)
{
if (IsServer(cptr) || IsConnecting(cptr) ||
IsHandshake(cptr) || IsSSLConnectHandshake(cptr))
IsHandshake(cptr) || IsTLSConnectHandshake(cptr))
{
sendto_ops_and_log
("No response from %s, closing link",
@@ -520,7 +520,7 @@ int check_ping(aClient *cptr)
me.name, get_client_name(cptr,
FALSE));
}
if (IsSSLAcceptHandshake(cptr))
if (IsTLSAcceptHandshake(cptr))
Debug((DEBUG_DEBUG, "ssl accept handshake timeout: %s (%li-%li > %li)", cptr->local->sockhost,
TStime(), cptr->local->since, ping));
(void)ircsnprintf(scratch, sizeof(scratch), "Ping timeout: %ld seconds",
@@ -545,7 +545,7 @@ int check_ping(aClient *cptr)
}
else if (!IsPingWarning(cptr) && PINGWARNING > 0 &&
(IsServer(cptr) || IsHandshake(cptr) || IsConnecting(cptr) ||
IsSSLConnectHandshake(cptr)) &&
IsTLSConnectHandshake(cptr)) &&
(TStime() - cptr->local->lasttime) >= (ping + PINGWARNING))
{
SetPingWarning(cptr);
+1 -1
View File
@@ -319,7 +319,7 @@ void remove_client_from_list(aClient *cptr)
cptr->srvptr->serv->users--;
}
if (IsUnknown(cptr) || IsConnecting(cptr) || IsHandshake(cptr)
|| IsSSLHandshake(cptr)
|| IsTLSHandshake(cptr)
)
IRCstats.unknown--;
+1 -1
View File
@@ -123,7 +123,7 @@ int certfp_connect(aClient *acptr)
{
char *fp = moddata_client_get(acptr, "certfp");
if (fp && !iConf.no_connect_ssl_info)
if (fp && !iConf.no_connect_tls_info)
sendnotice(acptr, "*** Your SSL fingerprint is %s", fp);
}
+2 -2
View File
@@ -1426,7 +1426,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha
if (IsSecureConnect(sptr))
{
if (sptr->local->ssl && !iConf.no_connect_ssl_info)
if (sptr->local->ssl && !iConf.no_connect_tls_info)
{
sendnotice(sptr, "*** You are connected to %s with %s",
me.name, ssl_get_cipher(sptr->local->ssl));
@@ -1713,7 +1713,7 @@ int AllowClient(aClient *cptr, struct hostent *hp, char *sockhost, char *usernam
goto attach;
if (aconf->auth && !cptr->local->passwd)
continue;
if (aconf->flags.ssl && !IsSecure(cptr))
if (aconf->flags.tls && !IsSecure(cptr))
continue;
if (hp && hp->h_name)
{
+1 -1
View File
@@ -365,7 +365,7 @@ skip_host_check:
{
char *errstr = NULL;
if (!IsSSL(cptr))
if (!IsTLS(cptr))
{
sendto_one(cptr, NULL,
"ERROR :Link '%s' denied (Not using SSL/TLS) %s",
+6 -6
View File
@@ -63,13 +63,13 @@ MOD_UNLOAD(starttls)
CMD_FUNC(m_starttls)
{
SSL_CTX *ctx;
int ssl_options;
int tls_options;
if (!MyConnect(sptr) || !IsUnknown(sptr))
return 0;
ctx = sptr->local->listener->ssl_ctx ? sptr->local->listener->ssl_ctx : ctx_server;
ssl_options = sptr->local->listener->ssl_options ? sptr->local->listener->ssl_options->options : iConf.ssl_options->options;
tls_options = sptr->local->listener->tls_options ? sptr->local->listener->tls_options->options : iConf.tls_options->options;
/* Is SSL support enabled? (may not, if failed to load cert/keys/..) */
if (!ctx)
@@ -80,7 +80,7 @@ CMD_FUNC(m_starttls)
}
/* Is STARTTLS disabled? (same response as above) */
if (ssl_options & SSLFLAG_NOSTARTTLS)
if (tls_options & TLSFLAG_NOSTARTTLS)
{
sendnumeric(sptr, ERR_NOTREGISTERED);
return 0;
@@ -96,11 +96,11 @@ CMD_FUNC(m_starttls)
sendnumeric(sptr, RPL_STARTTLS);
send_queued(sptr);
SetSSLStartTLSHandshake(sptr);
SetStartTLSHandshake(sptr);
Debug((DEBUG_DEBUG, "Starting SSL handshake (due to STARTTLS) for %s", sptr->local->sockhost));
if ((sptr->local->ssl = SSL_new(ctx)) == NULL)
goto fail;
sptr->flags |= FLAGS_SSL;
sptr->flags |= FLAGS_TLS;
SSL_set_fd(sptr->local->ssl, sptr->fd);
SSL_set_nonblocking(sptr->local->ssl);
if (!ircd_SSL_accept(sptr, sptr->fd)) {
@@ -117,7 +117,7 @@ fail:
/* Failure */
sendnumeric(sptr, ERR_STARTTLS, "STARTTLS failed");
sptr->local->ssl = NULL;
sptr->flags &= ~FLAGS_SSL;
sptr->flags &= ~FLAGS_TLS;
SetUnknown(sptr);
return 0;
}
+8 -8
View File
@@ -431,7 +431,7 @@ int stats_links(aClient *sptr, char *para)
link_p->outgoing.port,
link_p->class->name,
(link_p->outgoing.options & CONNECT_AUTO) ? "a" : "",
(link_p->outgoing.options & CONNECT_SSL) ? "S" : "",
(link_p->outgoing.options & CONNECT_TLS) ? "S" : "",
(link_p->flag.temporary == 1) ? "T" : "");
#ifdef DEBUGMODE
sendnotice(sptr, "%s (%p) has refcount %d",
@@ -558,8 +558,8 @@ static char *stats_port_helper(ConfigItem_listen *listener)
ircsnprintf(buf, sizeof(buf), "%s%s%s%s",
(listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "",
(listener->options & LISTENER_SERVERSONLY)? "serversonly ": "",
(listener->options & LISTENER_SSL)? "ssl ": "",
!(listener->options & LISTENER_SSL)? "plaintext ": "");
(listener->options & LISTENER_TLS)? "ssl ": "",
!(listener->options & LISTENER_TLS)? "plaintext ": "");
return buf;
}
@@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para)
sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON);
sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME));
sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`");
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.ssl_options->certificate_file));
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.ssl_options->key_file));
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.ssl_options->trusted_ca_file));
sendtxtnumeric(sptr, "ssl::options: %s", iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file));
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD);
sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES);
sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK);
sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN);
sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO);
sendtxtnumeric(sptr, "options::no-connect-ssl-info: %d", NOCONNECTSSLINFO);
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO);
sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE);
sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE);
sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS);
+7 -7
View File
@@ -57,20 +57,20 @@ MOD_UNLOAD(sts)
*/
int sts_capability_visible(aClient *acptr)
{
SSLOptions *ssl;
TLSOptions *ssl;
/* This is possible if queried from the CAP NEW/DEL code */
if (acptr == NULL)
return (iConf.ssl_options && iConf.ssl_options->sts_port) ? 1 : 0;
return (iConf.tls_options && iConf.tls_options->sts_port) ? 1 : 0;
if (!IsSecure(acptr))
{
if (iConf.ssl_options && iConf.ssl_options->sts_port)
if (iConf.tls_options && iConf.tls_options->sts_port)
return 1; /* YES, non-SSL user and set::ssl::sts-policy configured */
return 0; /* NO, there is no sts-policy */
}
ssl = FindSSLOptionsForUser(acptr);
ssl = FindTLSOptionsForUser(acptr);
if (ssl && ssl->sts_port)
return 1;
@@ -80,13 +80,13 @@ int sts_capability_visible(aClient *acptr)
char *sts_capability_parameter(aClient *acptr)
{
SSLOptions *ssl;
TLSOptions *ssl;
static char buf[256];
if (IsSecure(acptr))
ssl = FindSSLOptionsForUser(acptr);
ssl = FindTLSOptionsForUser(acptr);
else
ssl = iConf.ssl_options;
ssl = iConf.tls_options;
if (!ssl)
return ""; /* This would be odd. */
+2 -2
View File
@@ -210,11 +210,11 @@ CMD_FUNC(m_trace)
cnt++;
break;
#ifdef USE_SSL
case STAT_SSL_CONNECT_HANDSHAKE:
case STAT_TLS_CONNECT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name);
cnt++;
break;
case STAT_SSL_ACCEPT_HANDSHAKE:
case STAT_TLS_ACCEPT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name);
cnt++;
break;
+2 -2
View File
@@ -397,12 +397,12 @@ char *get_cptr_status(aClient *acptr)
*p++ = 'S';
if (acptr->umodes & LISTENER_CLIENTSONLY)
*p++ = 'C';
if (acptr->umodes & LISTENER_SSL)
if (acptr->umodes & LISTENER_TLS)
*p++ = 's';
}
else
{
if (acptr->flags & FLAGS_SSL)
if (acptr->flags & FLAGS_TLS)
*p++ = 's';
}
*p++ = ']';
+2 -2
View File
@@ -48,7 +48,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read)
if (IsDead(cptr) || (!IsServer(cptr) && !IsPerson(cptr)
&& !IsHandshake(cptr)
&& !IsSSLHandshake(cptr)
&& !IsTLSHandshake(cptr)
&& !IsUnknown(cptr)))
{
@@ -59,7 +59,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read)
return -1;
}
if (IsSSL(cptr) && cptr->local->ssl != NULL)
if (IsTLS(cptr) && cptr->local->ssl != NULL)
{
retval = SSL_write(cptr->local->ssl, str, len);
+63 -63
View File
@@ -227,7 +227,7 @@ static int setup_dh_params(SSL_CTX *ctx)
{
DH *dh;
BIO *bio;
char *dh_file = iConf.ssl_options ? iConf.ssl_options->dh_file : tempiConf.ssl_options->dh_file;
char *dh_file = iConf.tls_options ? iConf.tls_options->dh_file : tempiConf.tls_options->dh_file;
/* ^^ because we can be called both before config file initalization or after */
if (dh_file == NULL)
@@ -256,7 +256,7 @@ static int setup_dh_params(SSL_CTX *ctx)
}
/** Disable SSL/TLS protocols as set by config */
void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
{
/* OpenSSL has two mechanisms for protocol version control:
*
@@ -275,12 +275,12 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
* minimum protocol version to begin with.
*/
#ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1) &&
!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1) &&
!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
{
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
} else
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1))
{
SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
} else
@@ -292,27 +292,27 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions)
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */
#ifdef SSL_OP_NO_TLSv1
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
#endif
#ifdef SSL_OP_NO_TLSv1_1
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
#endif
#ifdef SSL_OP_NO_TLSv1_2
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_2))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_2))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
#endif
#ifdef SSL_OP_NO_TLSv1_3
if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_3))
if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_3))
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
#endif
}
SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
{
SSL_CTX *ctx;
char *errstr = NULL;
@@ -328,10 +328,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
config_report_ssl_error();
return NULL;
}
disable_ssl_protocols(ctx, ssloptions);
disable_ssl_protocols(ctx, tlsoptions);
SSL_CTX_set_default_passwd_cb(ctx, ssl_pem_passwd_cb);
if (server && !(ssloptions->options & SSLFLAG_DISABLECLIENTCERT))
if (server && !(tlsoptions->options & TLSFLAG_DISABLECLIENTCERT))
{
/* We tell OpenSSL/LibreSSL to verify the certificate and set our callback.
* Our callback will always accept the certificate since actual checking
@@ -340,7 +340,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
* _verify_link() will take care of it only after we learned what server
* we are dealing with (and if we should verify certificates for that server).
*/
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (ssloptions->options & SSLFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (tlsoptions->options & TLSFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback);
}
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
#ifndef SSL_OP_NO_TICKET
@@ -351,30 +351,30 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
if (!setup_dh_params(ctx))
goto fail;
if (!ssloptions->certificate_file)
if (!tlsoptions->certificate_file)
{
config_error("No SSL certificate configured (set::options::ssl::certificate or in a listen block)");
config_report_ssl_error();
goto fail;
}
if (SSL_CTX_use_certificate_chain_file(ctx, ssloptions->certificate_file) <= 0)
if (SSL_CTX_use_certificate_chain_file(ctx, tlsoptions->certificate_file) <= 0)
{
config_error("Failed to load SSL certificate %s", ssloptions->certificate_file);
config_error("Failed to load SSL certificate %s", tlsoptions->certificate_file);
config_report_ssl_error();
goto fail;
}
if (!ssloptions->key_file)
if (!tlsoptions->key_file)
{
config_error("No SSL key configured (set::options::ssl::key or in a listen block)");
config_report_ssl_error();
goto fail;
}
if (SSL_CTX_use_PrivateKey_file(ctx, ssloptions->key_file, SSL_FILETYPE_PEM) <= 0)
if (SSL_CTX_use_PrivateKey_file(ctx, tlsoptions->key_file, SSL_FILETYPE_PEM) <= 0)
{
config_error("Failed to load SSL private key %s", ssloptions->key_file);
config_error("Failed to load SSL private key %s", tlsoptions->key_file);
config_report_ssl_error();
goto fail;
}
@@ -386,7 +386,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
goto fail;
}
if (SSL_CTX_set_cipher_list(ctx, ssloptions->ciphers) == 0)
if (SSL_CTX_set_cipher_list(ctx, tlsoptions->ciphers) == 0)
{
config_error("Failed to set SSL cipher list");
config_report_ssl_error();
@@ -394,7 +394,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
}
#ifdef SSL_OP_NO_TLSv1_3
if (SSL_CTX_set_ciphersuites(ctx, ssloptions->ciphersuites) == 0)
if (SSL_CTX_set_ciphersuites(ctx, tlsoptions->ciphersuites) == 0)
{
config_error("Failed to set SSL ciphersuites list");
config_report_ssl_error();
@@ -413,11 +413,11 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
if (server)
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (ssloptions->trusted_ca_file)
if (tlsoptions->trusted_ca_file)
{
if (!SSL_CTX_load_verify_locations(ctx, ssloptions->trusted_ca_file, NULL))
if (!SSL_CTX_load_verify_locations(ctx, tlsoptions->trusted_ca_file, NULL))
{
config_error("Failed to load Trusted CA's from %s", ssloptions->trusted_ca_file);
config_error("Failed to load Trusted CA's from %s", tlsoptions->trusted_ca_file);
config_report_ssl_error();
goto fail;
}
@@ -441,10 +441,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
*/
#endif
/* Let's see if we need to (and can) set specific curves */
if (ssloptions->ecdh_curves)
if (tlsoptions->ecdh_curves)
{
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves))
if (!SSL_CTX_set1_curves_list(ctx, tlsoptions->ecdh_curves))
{
config_error("Failed to apply ecdh-curves '%s'. "
"To get a list of supported curves with the "
@@ -452,7 +452,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server)
"'openssl ecparam -list_curves' on the server. "
"Separate multiple curves by colon, "
"for example: ecdh-curves \"secp521r1:secp384r1\".",
ssloptions->ecdh_curves);
tlsoptions->ecdh_curves);
config_report_ssl_error();
goto fail;
}
@@ -496,10 +496,10 @@ int early_init_ssl(void)
int init_ssl(void)
{
/* SSL preliminaries. We keep the certificate and key with the context. */
ctx_server = init_ctx(iConf.ssl_options, 1);
ctx_server = init_ctx(iConf.tls_options, 1);
if (!ctx_server)
return 0;
ctx_client = init_ctx(iConf.ssl_options, 0);
ctx_client = init_ctx(iConf.tls_options, 0);
if (!ctx_client)
return 0;
return 1;
@@ -521,7 +521,7 @@ void reinit_ssl(aClient *acptr)
mylog("%s requested a reload of all SSL related data (/rehash -ssl)",
acptr->name);
tmp = init_ctx(iConf.ssl_options, 1);
tmp = init_ctx(iConf.tls_options, 1);
if (!tmp)
{
config_error("SSL Reload failed.");
@@ -530,7 +530,7 @@ void reinit_ssl(aClient *acptr)
}
ctx_server = tmp; /* activate */
tmp = init_ctx(iConf.ssl_options, 0);
tmp = init_ctx(iConf.tls_options, 0);
if (!tmp)
{
config_error("SSL Reload partially failed. Server context is reloaded, client context failed");
@@ -542,9 +542,9 @@ void reinit_ssl(aClient *acptr)
/* listen::ssl-options.... */
for (listen = conf_listen; listen; listen = listen->next)
{
if (listen->ssl_options)
if (listen->tls_options)
{
tmp = init_ctx(listen->ssl_options, 1);
tmp = init_ctx(listen->tls_options, 1);
if (!tmp)
{
config_error("SSL Reload partially failed. listen::ssl-options error, see above");
@@ -558,9 +558,9 @@ void reinit_ssl(aClient *acptr)
/* sni::ssl-options.... */
for (sni = conf_sni; sni; sni = sni->next)
{
if (sni->ssl_options)
if (sni->tls_options)
{
tmp = init_ctx(sni->ssl_options, 1);
tmp = init_ctx(sni->tls_options, 1);
if (!tmp)
{
config_error("SSL Reload partially failed. sni::ssl-options error, see above");
@@ -574,9 +574,9 @@ void reinit_ssl(aClient *acptr)
/* link::outgoing::ssl-options.... */
for (link = conf_link; link; link = link->next)
{
if (link->ssl_options)
if (link->tls_options)
{
tmp = init_ctx(link->ssl_options, 1);
tmp = init_ctx(link->tls_options, 1);
if (!tmp)
{
config_error("SSL Reload partially failed. link::outgoing::ssl-options error in link %s { }, see above",
@@ -612,15 +612,15 @@ char *ssl_get_cipher(SSL *ssl)
/** Get the applicable ::ssl-options block for this local client,
* which may be defined in the link block, listen block, or set block.
*/
SSLOptions *get_ssl_options_for_client(aClient *acptr)
TLSOptions *get_tls_options_for_client(aClient *acptr)
{
if (!acptr->local)
return NULL;
if (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_options)
return acptr->serv->conf->ssl_options;
if (acptr->local && acptr->local->listener && acptr->local->listener->ssl_options)
return acptr->local->listener->ssl_options;
return iConf.ssl_options;
if (acptr->serv && acptr->serv->conf && acptr->serv->conf->tls_options)
return acptr->serv->conf->tls_options;
if (acptr->local && acptr->local->listener && acptr->local->listener->tls_options)
return acptr->local->listener->tls_options;
return iConf.tls_options;
}
/** Outgoing SSL connect (read: handshake) to another server. */
@@ -628,7 +628,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
{
aClient *acptr = data;
SSL_CTX *ctx = (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_ctx) ? acptr->serv->conf->ssl_ctx : ctx_client;
SSLOptions *ssloptions = get_ssl_options_for_client(acptr);
TLSOptions *tlsoptions = get_tls_options_for_client(acptr);
if (!ctx)
{
@@ -647,16 +647,16 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
SSL_set_connect_state(acptr->local->ssl);
SSL_set_nonblocking(acptr->local->ssl);
if (ssloptions->renegotiate_bytes > 0)
if (tlsoptions->renegotiate_bytes > 0)
{
BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_bytes);
BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_bytes);
BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_bytes);
BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_bytes);
}
if (ssloptions->renegotiate_timeout > 0)
if (tlsoptions->renegotiate_timeout > 0)
{
BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_timeout);
BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_timeout);
BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_timeout);
BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_timeout);
}
if (acptr->serv && acptr->serv->conf)
@@ -665,7 +665,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
SSL_set_tlsext_host_name(acptr->local->ssl, acptr->serv->conf->servername);
}
acptr->flags |= FLAGS_SSL;
acptr->flags |= FLAGS_TLS;
switch (ircd_SSL_connect(acptr, fd))
{
@@ -675,8 +675,8 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
--OpenFiles;
return;
case 0:
Debug((DEBUG_DEBUG, "SetSSLConnectHandshake(%s)", get_client_name(acptr, TRUE)));
SetSSLConnectHandshake(acptr);
Debug((DEBUG_DEBUG, "SetTLSConnectHandshake(%s)", get_client_name(acptr, TRUE)));
SetTLSConnectHandshake(acptr);
return;
case 1:
Debug((DEBUG_DEBUG, "SSL_init_finished should finish this job (%s)", get_client_name(acptr, TRUE)));
@@ -935,7 +935,7 @@ int client_starttls(aClient *acptr)
if ((acptr->local->ssl = SSL_new(ctx_client)) == NULL)
goto fail_starttls;
acptr->flags |= FLAGS_SSL;
acptr->flags |= FLAGS_TLS;
SSL_set_fd(acptr->local->ssl, acptr->fd);
SSL_set_nonblocking(acptr->local->ssl);
@@ -961,19 +961,19 @@ fail_starttls:
/* Failure */
sendnumeric(acptr, ERR_STARTTLS, "STARTTLS failed");
acptr->local->ssl = NULL;
acptr->flags &= ~FLAGS_SSL;
acptr->flags &= ~FLAGS_TLS;
SetUnknown(acptr);
return 0; /* hm. we allow to continue anyway. not sure if we want that. */
}
/** Find the appropriate SSLOptions structure for a client.
/** Find the appropriate TLSOptions structure for a client.
* NOTE: The default global SSL options will be returned if not found,
* or NULL if no such options are available (unlikely, but possible?).
*/
SSLOptions *FindSSLOptionsForUser(aClient *acptr)
TLSOptions *FindTLSOptionsForUser(aClient *acptr)
{
ConfigItem_sni *sni;
SSLOptions *sslopt = iConf.ssl_options; /* default */
TLSOptions *sslopt = iConf.tls_options; /* default */
if (!MyConnect(acptr) || !IsSecure(acptr))
return NULL;
@@ -984,7 +984,7 @@ SSLOptions *FindSSLOptionsForUser(aClient *acptr)
sni = Find_sni(acptr->local->sni_servername);
if (sni)
{
sslopt = sni->ssl_options;
sslopt = sni->tls_options;
}
/* It is perfectly possible that 'name' is not found and 'sni' is NULL,
* if a client used a hostname which we do not know about (eg: 'dummy').
@@ -1200,23 +1200,23 @@ char *spki_fingerprint(aClient *cptr)
/** Returns 1 if the client is using an outdated protocol or cipher, 0 otherwise */
int outdated_tls_client(aClient *acptr)
{
SSLOptions *ssloptions = get_ssl_options_for_client(acptr);
TLSOptions *tlsoptions = get_tls_options_for_client(acptr);
char buf[1024], *name, *p;
const char *client_protocol = SSL_get_version(acptr->local->ssl);
const char *client_ciphersuite = SSL_get_cipher(acptr->local->ssl);
int bad = 0;
if (!ssloptions)
if (!tlsoptions)
return 0; /* odd.. */
strlcpy(buf, ssloptions->outdated_protocols, sizeof(buf));
strlcpy(buf, tlsoptions->outdated_protocols, sizeof(buf));
for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ","))
{
if (!_match(name, client_protocol))
return 1; /* outdated protocol */
}
strlcpy(buf, ssloptions->outdated_ciphers, sizeof(buf));
strlcpy(buf, tlsoptions->outdated_ciphers, sizeof(buf));
for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ","))
{
if (!_match(name, client_ciphersuite))
+6 -6
View File
@@ -129,7 +129,7 @@ char *url_getfilename(const char *url)
* Sets up all of the SSL options necessary to support HTTPS/FTPS
* transfers.
*/
static void set_curl_ssl_options(CURL *curl)
static void set_curl_tls_options(CURL *curl)
{
char buf[512];
@@ -138,13 +138,13 @@ static void set_curl_ssl_options(CURL *curl)
* But this information is not known yet since the configuration file has not been
* parsed yet at this point.
*/
curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.ssl_options->certificate_file);
curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.tls_options->certificate_file);
if (SSLKeyPasswd)
curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, SSLKeyPasswd);
curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.ssl_options->key_file);
curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.tls_options->key_file);
#endif
snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR);
snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR);
curl_easy_setopt(curl, CURLOPT_CAINFO, buf);
}
@@ -218,7 +218,7 @@ char *download_file(const char *url, char **error)
*/
curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1);
set_curl_ssl_options(curl);
set_curl_tls_options(curl);
bzero(errorbuf, CURL_ERROR_SIZE);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuf);
res = curl_easy_perform(curl);
@@ -430,7 +430,7 @@ void download_file_async(const char *url, time_t cachetime, vFP callback, void *
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, do_download);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)handle->fd);
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
set_curl_ssl_options(curl);
set_curl_tls_options(curl);
bzero(handle->errorbuf, CURL_ERROR_SIZE);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, handle->errorbuf);
curl_easy_setopt(curl, CURLOPT_PRIVATE, (char *)handle);
+2 -2
View File
@@ -1,6 +1,6 @@
@title Certificate Generation
SET OPENSSL_CONF=ssl.cnf
openssl ecparam -out server.key.pem -name secp384r1 -genkey
openssl req -new -config ssl.cnf -out conf/ssl/server.req.pem -key conf/ssl/server.key.pem -nodes
openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/ssl/server.req.pem -key conf/ssl/server.key.pem -out conf/ssl/server.cert.pem
openssl req -new -config ssl.cnf -out conf/tls/server.req.pem -key conf/tls/server.key.pem -nodes
openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/tls/server.req.pem -key conf/tls/server.key.pem -out conf/tls/server.cert.pem
+1 -1
View File
@@ -211,7 +211,7 @@ __EOF__
echo ""
echo "Thanks!"
elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then
CERT="@CONFDIR@/ssl/server.cert.pem"
CERT="@CONFDIR@/tls/server.cert.pem"
if [ "$2" != "" ]; then
CERT="$2"
fi