From 09cf485d6c464ef76aac1470dfc3213a7fd2f89a Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Mon, 12 Aug 2019 14:26:31 +0200 Subject: [PATCH] Mass rename of "ssl" to "tls" everywhere. Including conf/ssl to conf/tls. If you are upgrading then conf/ssl will be renamed to conf/tls and a symlink will be added (so certbot etc won't fail). This is part 1... --- Config | 6 +- Makefile.in | 11 +- include/dynconf.h | 8 +- include/h.h | 4 +- include/ssl.h | 12 +- include/struct.h | 60 ++++---- src/bsd.c | 16 +- src/conf.c | 325 ++++++++++++++++++++------------------- src/crashreport.c | 2 +- src/ircd.c | 6 +- src/list.c | 2 +- src/modules/certfp.c | 2 +- src/modules/nick.c | 4 +- src/modules/server.c | 2 +- src/modules/starttls.c | 12 +- src/modules/stats.c | 16 +- src/modules/sts.c | 14 +- src/modules/trace.c | 4 +- src/serv.c | 4 +- src/socket.c | 4 +- src/ssl.c | 126 +++++++-------- src/url.c | 12 +- src/windows/makecert.bat | 4 +- unrealircd.in | 2 +- 24 files changed, 334 insertions(+), 324 deletions(-) diff --git a/Config b/Config index 6305859da..c7bfb9fcc 100755 --- a/Config +++ b/Config @@ -105,7 +105,7 @@ echo $CONF $CONF || exit 1 cd "$UNREALCWD" if [ "$QUICK" != "1" ] ; then -if [ ! -f $CONFDIR/ssl/server.cert.pem ]; then +if [ ! -f $CONFDIR/tls/server.cert.pem -a ! -f $CONFDIR/ssl/server.cert.pem ]; then export OPENSSLPATH TEST="" while [ -z "$TEST" ] ; do @@ -142,10 +142,10 @@ if [ "$GENCERTIFICATE" = 1 ]; then sleep 1 else echo "Ok, not generating SSL certificate. Make sure that the certificate and key" - echo "are installed in conf/ssl/server.crt.pem and conf/ssl/server.key.pem prior to starting the IRCd." + echo "are installed in conf/tls/server.crt.pem and conf/tls/server.key.pem prior to starting the IRCd." fi else -echo "SSL certificate exists in $CONFDIR/ssl/server.cert.pem, no need to regenerate." +echo "SSL certificate already exists in configuration directory, no need to regenerate." fi fi diff --git a/Makefile.in b/Makefile.in index ed8118e47..c8d7a59a7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -193,8 +193,6 @@ install: all $(INSTALL) -m 0600 doc/conf/help/*.conf @CONFDIR@/help $(INSTALL) -m 0700 -d @CONFDIR@/examples $(INSTALL) -m 0600 doc/conf/examples/*.conf @CONFDIR@/examples - $(INSTALL) -m 0700 -d @CONFDIR@/ssl - $(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl $(INSTALL) -m 0700 unrealircd @SCRIPTDIR@ $(INSTALL) -m 0700 -d @MODULESDIR@ $(INSTALL) -m 0700 src/modules/*.so @MODULESDIR@ @@ -206,6 +204,15 @@ install: all $(INSTALL) -m 0700 src/modules/snomasks/*.so @MODULESDIR@/snomasks $(INSTALL) -m 0700 -d @MODULESDIR@/extbans $(INSTALL) -m 0700 src/modules/extbans/*.so @MODULESDIR@/extbans + @#If the conf/ssl directory exists then rename it here to conf/tls + @#and add a symlink for backwards compatibility (so that f.e. certbot + @#doesn't randomly fail after an upgrade to U5). + -@if [ -d "@CONFDIR@/ssl" ] ; then \ + mv "@CONFDIR@/ssl" "@CONFDIR@/tls" ; \ + ln -s "@CONFDIR@/tls" "@CONFDIR@/ssl" ; \ + fi + $(INSTALL) -m 0700 -d @CONFDIR@/tls + $(INSTALL) -m 0600 doc/conf/ssl/curl-ca-bundle.crt @CONFDIR@/ssl @# delete modules/cap directory, to avoid confusing with U4 to U5 upgrades: rm -rf @MODULESDIR@/cap $(INSTALL) -m 0700 -d @MODULESDIR@/third diff --git a/include/dynconf.h b/include/dynconf.h index 5db2092d5..b118d2dc1 100644 --- a/include/dynconf.h +++ b/include/dynconf.h @@ -63,7 +63,7 @@ struct zConfiguration { unsigned ident_check:1; unsigned fail_oper_warn:1; unsigned show_connect_info:1; - unsigned no_connect_ssl_info:1; + unsigned no_connect_tls_info:1; unsigned dont_resolve:1; unsigned use_ban_version:1; unsigned mkpasswd_for_everyone:1; @@ -93,7 +93,7 @@ struct zConfiguration { char *egd_path; char *static_quit; char *static_part; - SSLOptions *ssl_options; + TLSOptions *tls_options; Policy plaintext_policy_user; char *plaintext_policy_user_message; Policy plaintext_policy_oper; @@ -194,7 +194,7 @@ extern MODVAR int ipv6_disabled; #define IDENT_CHECK iConf.ident_check #define FAILOPER_WARN iConf.fail_oper_warn #define SHOWCONNECTINFO iConf.show_connect_info -#define NOCONNECTSSLINFO iConf.no_connect_ssl_info +#define NOCONNECTSSLINFO iConf.no_connect_tls_info #define OPER_ONLY_STATS iConf.oper_only_stats #define ANTI_SPAM_QUIT_MSG_TIME iConf.anti_spam_quit_message_time #ifdef HAVE_RAND_EGD @@ -360,7 +360,7 @@ struct SetCheck { unsigned has_options_fail_oper_warn:1; unsigned has_options_dont_resolve:1; unsigned has_options_show_connect_info:1; - unsigned has_options_no_connect_ssl_info:1; + unsigned has_options_no_connect_tls_info:1; unsigned has_options_mkpasswd_for_everyone:1; unsigned has_options_allow_insane_bans:1; unsigned has_options_allow_part_if_shunned:1; diff --git a/include/h.h b/include/h.h index e457e7e3d..2f8a5e6b0 100644 --- a/include/h.h +++ b/include/h.h @@ -526,7 +526,7 @@ extern time_t rfc2time(char *s); extern char *rfctime(time_t t, char *buf); extern void *MyMallocEx(size_t size); extern MODFUNC char *ssl_get_cipher(SSL *ssl); -extern SSLOptions *get_ssl_options_for_client(aClient *acptr); +extern TLSOptions *get_tls_options_for_client(aClient *acptr); extern int outdated_tls_client(aClient *acptr); extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr); extern long config_checkval(char *value, unsigned short flags); @@ -815,7 +815,7 @@ extern int has_common_channels(aClient *c1, aClient *c2); extern int user_can_see_member(aClient *user, aClient *target, aChannel *chptr); extern int invisible_user_in_channel(aClient *target, aChannel *chptr); extern MODVAR int ssl_client_index; -extern SSLOptions *FindSSLOptionsForUser(aClient *acptr); +extern TLSOptions *FindTLSOptionsForUser(aClient *acptr); extern int IsWebsocket(aClient *acptr); extern Policy policy_strtoval(char *s); extern char *policy_valtostr(Policy policy); diff --git a/include/ssl.h b/include/ssl.h index df937b38c..906dc39f1 100644 --- a/include/ssl.h +++ b/include/ssl.h @@ -12,11 +12,11 @@ extern int ircd_SSL_connect(aClient *acptr, int fd); extern int SSL_smart_shutdown(SSL *ssl); extern void ircd_SSL_client_handshake(int, int, void *); extern void SSL_set_nonblocking(SSL *s); -extern SSL_CTX *init_ctx(SSLOptions *ssloptions, int server); +extern SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server); -#define SSL_PROTOCOL_TLSV1 0x0001 -#define SSL_PROTOCOL_TLSV1_1 0x0002 -#define SSL_PROTOCOL_TLSV1_2 0x0004 -#define SSL_PROTOCOL_TLSV1_3 0x0008 +#define TLS_PROTOCOL_TLSV1 0x0001 +#define TLS_PROTOCOL_TLSV1_1 0x0002 +#define TLS_PROTOCOL_TLSV1_2 0x0004 +#define TLS_PROTOCOL_TLSV1_3 0x0008 -#define SSL_PROTOCOL_ALL 0xffff +#define TLS_PROTOCOL_ALL 0xffff diff --git a/include/struct.h b/include/struct.h index d77d7dd6a..9c5587ea3 100644 --- a/include/struct.h +++ b/include/struct.h @@ -247,9 +247,9 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia #define STAT_LOG -7 /* logfile for -x */ #define STAT_CONNECTING -6 -#define STAT_SSL_STARTTLS_HANDSHAKE -8 -#define STAT_SSL_CONNECT_HANDSHAKE -5 -#define STAT_SSL_ACCEPT_HANDSHAKE -4 +#define STAT_TLS_STARTTLS_HANDSHAKE -8 +#define STAT_TLS_CONNECT_HANDSHAKE -5 +#define STAT_TLS_ACCEPT_HANDSHAKE -4 #define STAT_HANDSHAKE -3 #define STAT_ME -2 #define STAT_UNKNOWN -1 @@ -264,18 +264,18 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia #define IsConnecting(x) ((x)->status == STAT_CONNECTING) #define IsHandshake(x) ((x)->status == STAT_HANDSHAKE) #define IsMe(x) ((x)->status == STAT_ME) -#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE)) +#define IsUnknown(x) (((x)->status == STAT_UNKNOWN) || ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE)) #define IsServer(x) ((x)->status == STAT_SERVER) #define IsClient(x) ((x)->status == STAT_CLIENT) #define IsLog(x) ((x)->status == STAT_LOG) -#define IsSSLStartTLSHandshake(x) ((x)->status == STAT_SSL_STARTTLS_HANDSHAKE) -#define IsSSLAcceptHandshake(x) ((x)->status == STAT_SSL_ACCEPT_HANDSHAKE) -#define IsSSLConnectHandshake(x) ((x)->status == STAT_SSL_CONNECT_HANDSHAKE) -#define IsSSLHandshake(x) (IsSSLAcceptHandshake(x) || IsSSLConnectHandshake(x) | IsSSLStartTLSHandshake(x)) -#define SetSSLStartTLSHandshake(x) ((x)->status = STAT_SSL_STARTTLS_HANDSHAKE) -#define SetSSLAcceptHandshake(x) ((x)->status = STAT_SSL_ACCEPT_HANDSHAKE) -#define SetSSLConnectHandshake(x) ((x)->status = STAT_SSL_CONNECT_HANDSHAKE) +#define IsStartTLSHandshake(x) ((x)->status == STAT_TLS_STARTTLS_HANDSHAKE) +#define IsTLSAcceptHandshake(x) ((x)->status == STAT_TLS_ACCEPT_HANDSHAKE) +#define IsTLSConnectHandshake(x) ((x)->status == STAT_TLS_CONNECT_HANDSHAKE) +#define IsTLSHandshake(x) (IsTLSAcceptHandshake(x) || IsTLSConnectHandshake(x) | IsStartTLSHandshake(x)) +#define SetStartTLSHandshake(x) ((x)->status = STAT_TLS_STARTTLS_HANDSHAKE) +#define SetTLSAcceptHandshake(x) ((x)->status = STAT_TLS_ACCEPT_HANDSHAKE) +#define SetTLSConnectHandshake(x) ((x)->status = STAT_TLS_CONNECT_HANDSHAKE) #define SetConnecting(x) ((x)->status = STAT_CONNECTING) #define SetHandshake(x) ((x)->status = STAT_HANDSHAKE) @@ -312,7 +312,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia #define FLAGS_DCCNOTICE 0x00100000 /* Has the user seen a notice on how to use DCCALLOW already? */ #define FLAGS_SHUNNED 0x00200000 /* Connection is shunned */ #define FLAGS_VIRUS 0x00400000 /* Tagged by spamfilter */ -#define FLAGS_SSL 0x00800000 /* Connection is using SSL/TLS */ +#define FLAGS_TLS 0x00800000 /* Connection is using SSL/TLS */ #define FLAGS_NOFAKELAG 0x01000000 /* Exemption from fake lag */ #define FLAGS_DCCBLOCK 0x02000000 /* Block all DCC send requests */ #define FLAGS_MAP 0x04000000 /* Show this entry in /MAP */ @@ -388,7 +388,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia #define IsVirus(x) ((x)->flags & FLAGS_VIRUS) #define SetVirus(x) ((x)->flags |= FLAGS_VIRUS) #define ClearVirus(x) ((x)->flags &= ~FLAGS_VIRUS) -#define IsSecure(x) ((x)->flags & FLAGS_SSL) +#define IsSecure(x) ((x)->flags & FLAGS_TLS) /* Fake lag exception */ #define IsNoFakeLag(x) ((x)->flags & FLAGS_NOFAKELAG) @@ -398,7 +398,7 @@ typedef OperPermission (*OperClassEntryEvalCallback)(OperClassACLEntryVar* varia #define IsHidden(x) ((x)->umodes & UMODE_HIDE) #define IsSetHost(x) ((x)->umodes & UMODE_SETHOST) #define IsHideOper(x) ((x)->umodes & UMODE_HIDEOPER) -#define IsSSL(x) IsSecure(x) +#define IsTLS(x) IsSecure(x) #define IsNotSpoof(x) ((x)->local->nospoof == 0) #define GetHost(x) (IsHidden(x) ? (x)->user->virthost : (x)->user->realhost) @@ -825,13 +825,13 @@ extern void unload_all_unused_moddata(void); #define LISTENER_NORMAL 0x000001 #define LISTENER_CLIENTSONLY 0x000002 #define LISTENER_SERVERSONLY 0x000004 -#define LISTENER_SSL 0x000010 +#define LISTENER_TLS 0x000010 #define LISTENER_BOUND 0x000020 #define LISTENER_DEFER_ACCEPT 0x000040 #define IsServersOnlyListener(x) ((x) && ((x)->options & LISTENER_SERVERSONLY)) -#define CONNECT_SSL 0x000001 +#define CONNECT_TLS 0x000001 //0x000002 unused (was ziplinks) #define CONNECT_AUTO 0x000004 #define CONNECT_QUARANTINE 0x000008 @@ -839,9 +839,9 @@ extern void unload_all_unused_moddata(void); #define CONNECT_NOHOSTCHECK 0x000020 #define CONNECT_INSECURE 0x000040 -#define SSLFLAG_FAILIFNOCERT 0x1 -#define SSLFLAG_NOSTARTTLS 0x8 -#define SSLFLAG_DISABLECLIENTCERT 0x10 +#define TLSFLAG_FAILIFNOCERT 0x1 +#define TLSFLAG_NOSTARTTLS 0x8 +#define TLSFLAG_DISABLECLIENTCERT 0x10 struct Client { struct list_head client_node; /* for global client list (client_list) */ @@ -1090,7 +1090,7 @@ struct _configitem_class { struct _configflag_allow { unsigned noident :1; unsigned useip :1; - unsigned ssl :1; + unsigned tls :1; }; struct _configitem_allow { @@ -1167,13 +1167,13 @@ struct _configitem_oper { int maxlogins; }; -/** The SSL options that are used in set::ssl and otherblocks::ssl-options. +/** The SSL/TLS options that are used in set::tls and otherblocks::tls-options. * NOTE: If you add something here then you must also update the - * conf_sslblock() function in s_conf.c to have it inherited - * from set::ssl to the other config blocks! + * conf_tlsblock() function in s_conf.c to have it inherited + * from set::tls to the other config blocks! */ -typedef struct _ssloptions SSLOptions; -struct _ssloptions { +typedef struct _tlsoptions TLSOptions; +struct _tlsoptions { char *certificate_file; char *key_file; char *dh_file; @@ -1209,7 +1209,7 @@ struct _configitem_ulines { char *servername; }; -#define TLD_SSL 0x1 +#define TLD_TLS 0x1 #define TLD_REMOTE 0x2 struct _configitem_tld { @@ -1231,7 +1231,7 @@ struct _configitem_listen { int fd; int ipv6; SSL_CTX *ssl_ctx; - SSLOptions *ssl_options; + TLSOptions *tls_options; }; struct _configitem_sni { @@ -1239,7 +1239,7 @@ struct _configitem_sni { ConfigFlag flag; char *name; SSL_CTX *ssl_ctx; - SSLOptions *ssl_options; + TLSOptions *tls_options; }; struct _configitem_vhost { @@ -1263,7 +1263,7 @@ struct _configitem_link { char *bind_ip; /**< Our IP to bind to when doing the connect */ char *hostname; /**< Hostname or IP to connect to */ int port; /**< Port to connect to */ - int options; /**< Connect options like ssl or autoconnect */ + int options; /**< Connect options like tls or autoconnect */ } outgoing; anAuthStruct *auth; /**< authentication method (eg: password) */ char *hub; /**< Hub mask */ @@ -1277,7 +1277,7 @@ struct _configitem_link { time_t hold; /**< For how long the server is "on hold" for outgoing connects (why?) */ char *connect_ip; /**< actual IP to use for outgoing connect (filled in after host is resolved) */ SSL_CTX *ssl_ctx; /**< SSL Context for outgoing connection (optional) */ - SSLOptions *ssl_options; /**< SSL Options for outgoing connection (optional) */ + TLSOptions *tls_options; /**< SSL Options for outgoing connection (optional) */ }; struct _configitem_except { diff --git a/src/bsd.c b/src/bsd.c index d45fafbc5..6ad0266e7 100644 --- a/src/bsd.c +++ b/src/bsd.c @@ -432,7 +432,7 @@ void close_listener(ConfigItem_listen *listener) ircd_log(LOG_ERROR, "IRCd no longer listening on %s:%d (%s)%s", listener->ip, listener->port, listener->ipv6 ? "IPv6" : "IPv4", - listener->options & LISTENER_SSL ? " (SSL)" : ""); + listener->options & LISTENER_TLS ? " (SSL)" : ""); fd_close(listener->fd); --OpenFiles; } @@ -753,7 +753,7 @@ void close_connection(aClient *cptr) if (cptr->fd >= 0) { send_queued(cptr); - if (IsSSL(cptr) && cptr->local->ssl) { + if (IsTLS(cptr) && cptr->local->ssl) { SSL_set_shutdown(cptr->local->ssl, SSL_RECEIVED_SHUTDOWN); SSL_smart_shutdown(cptr->local->ssl); SSL_free(cptr->local->ssl); @@ -1042,19 +1042,19 @@ refuse_client: list_add(&acptr->lclient_node, &unknown_list); - if ((listener->options & LISTENER_SSL) && ctx_server) + if ((listener->options & LISTENER_TLS) && ctx_server) { SSL_CTX *ctx = listener->ssl_ctx ? listener->ssl_ctx : ctx_server; if (ctx) { - SetSSLAcceptHandshake(acptr); + SetTLSAcceptHandshake(acptr); Debug((DEBUG_DEBUG, "Starting SSL accept handshake for %s", acptr->local->sockhost)); if ((acptr->local->ssl = SSL_new(ctx)) == NULL) { goto refuse_client; } - acptr->flags |= FLAGS_SSL; + acptr->flags |= FLAGS_TLS; SSL_set_fd(acptr->local->ssl, fd); SSL_set_nonblocking(acptr->local->ssl); SSL_set_ex_data(acptr->local->ssl, ssl_client_index, acptr); @@ -1234,7 +1234,7 @@ void read_packet(int fd, int revents, void *data) while (1) { - if (IsSSL(cptr) && cptr->local->ssl != NULL) + if (IsTLS(cptr) && cptr->local->ssl != NULL) { length = SSL_read(cptr->local->ssl, readbuf, sizeof(readbuf)); @@ -1482,9 +1482,9 @@ int connect_server(ConfigItem_link *aconf, aClient *by, struct hostent *hp) set_sockhost(cptr, aconf->outgoing.hostname); add_client_to_list(cptr); - if (aconf->outgoing.options & CONNECT_SSL) + if (aconf->outgoing.options & CONNECT_TLS) { - SetSSLConnectHandshake(cptr); + SetTLSConnectHandshake(cptr); fd_setselect(cptr->fd, FD_SELECT_WRITE, ircd_SSL_client_handshake, cptr); } else diff --git a/src/conf.c b/src/conf.c index ebce34ff2..75675d706 100644 --- a/src/conf.c +++ b/src/conf.c @@ -141,8 +141,9 @@ static NameValue _ListenerFlags[] = { { LISTENER_CLIENTSONLY, "clientsonly"}, { LISTENER_DEFER_ACCEPT, "defer-accept"}, { LISTENER_SERVERSONLY, "serversonly"}, - { LISTENER_SSL, "ssl"}, + { LISTENER_TLS, "ssl"}, { LISTENER_NORMAL, "standard"}, + { LISTENER_TLS, "tls"}, }; /* This MUST be alphabetized */ @@ -150,7 +151,8 @@ static NameValue _LinkFlags[] = { { CONNECT_AUTO, "autoconnect" }, { CONNECT_INSECURE, "insecure" }, { CONNECT_QUARANTINE, "quarantine"}, - { CONNECT_SSL, "ssl" }, + { CONNECT_TLS, "ssl" }, + { CONNECT_TLS, "tls" }, }; /* This MUST be alphabetized */ @@ -179,10 +181,10 @@ static NameValue ExceptTklFlags[] = { }; /* This MUST be alphabetized */ -static NameValue _SSLFlags[] = { - { SSLFLAG_FAILIFNOCERT, "fail-if-no-clientcert" }, - { SSLFLAG_DISABLECLIENTCERT, "no-client-certificate" }, - { SSLFLAG_NOSTARTTLS, "no-starttls" }, +static NameValue _TLSFlags[] = { + { TLSFLAG_FAILIFNOCERT, "fail-if-no-clientcert" }, + { TLSFLAG_DISABLECLIENTCERT, "no-client-certificate" }, + { TLSFLAG_NOSTARTTLS, "no-starttls" }, }; struct { @@ -229,12 +231,12 @@ extern void unload_all_unused_history_backends(void); int reloadable_perm_module_unloaded(void); -int ssl_tests(void); +int tls_tests(void); /* Conf sub-sub-functions */ -void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors); -void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions); -void free_ssl_options(SSLOptions *ssloptions); +void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors); +void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions); +void free_tls_options(TLSOptions *tlsoptions); /* * Config parser (IRCd) @@ -289,7 +291,7 @@ int config_verbose = 0; MODVAR int need_34_upgrade = 0; int need_operclass_permissions_upgrade = 0; -int have_ssl_listeners = 0; +int have_tls_listeners = 0; char *port_6667_ip = NULL; void add_include(const char *filename, const char *included_from, int included_from_line); @@ -1441,10 +1443,10 @@ void free_iConf(aConfiguration *i) safefree(i->channel_command_prefix); safefree(i->oper_snomask); safefree(i->static_quit); - if (i->ssl_options) + if (i->tls_options) { - free_ssl_options(i->ssl_options); - i->ssl_options = NULL; + free_tls_options(i->tls_options); + i->tls_options = NULL; } safefree(i->restrict_usermodes); safefree(i->restrict_channelmodes); @@ -1524,25 +1526,25 @@ void config_setdefaultsettings(aConfiguration *i) i->broadcast_channel_messages = BROADCAST_CHANNEL_MESSAGES_AUTO; /* SSL/TLS options */ - i->ssl_options = MyMallocEx(sizeof(SSLOptions)); - snprintf(tmp, sizeof(tmp), "%s/ssl/server.cert.pem", CONFDIR); - i->ssl_options->certificate_file = strdup(tmp); - snprintf(tmp, sizeof(tmp), "%s/ssl/server.key.pem", CONFDIR); - i->ssl_options->key_file = strdup(tmp); - snprintf(tmp, sizeof(tmp), "%s/ssl/curl-ca-bundle.crt", CONFDIR); - i->ssl_options->trusted_ca_file = strdup(tmp); - i->ssl_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS); - i->ssl_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES); - i->ssl_options->protocols = SSL_PROTOCOL_ALL; + i->tls_options = MyMallocEx(sizeof(TLSOptions)); + snprintf(tmp, sizeof(tmp), "%s/tls/server.cert.pem", CONFDIR); + i->tls_options->certificate_file = strdup(tmp); + snprintf(tmp, sizeof(tmp), "%s/tls/server.key.pem", CONFDIR); + i->tls_options->key_file = strdup(tmp); + snprintf(tmp, sizeof(tmp), "%s/tls/curl-ca-bundle.crt", CONFDIR); + i->tls_options->trusted_ca_file = strdup(tmp); + i->tls_options->ciphers = strdup(UNREALIRCD_DEFAULT_CIPHERS); + i->tls_options->ciphersuites = strdup(UNREALIRCD_DEFAULT_CIPHERSUITES); + i->tls_options->protocols = TLS_PROTOCOL_ALL; #ifdef HAS_SSL_CTX_SET1_CURVES_LIST - i->ssl_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES); + i->tls_options->ecdh_curves = strdup(UNREALIRCD_DEFAULT_ECDH_CURVES); #endif - i->ssl_options->outdated_protocols = strdup("TLSv1,TLSv1.1"); + i->tls_options->outdated_protocols = strdup("TLSv1,TLSv1.1"); /* the following may look strange but "AES*" matches all * AES ciphersuites that do not have Forward Secrecy. * Any decent client using AES will use ECDHE-xx-AES. */ - i->ssl_options->outdated_ciphers = strdup("AES*,RC4*,DES*"); + i->tls_options->outdated_ciphers = strdup("AES*,RC4*,DES*"); i->plaintext_policy_user = POLICY_ALLOW; i->plaintext_policy_oper = POLICY_DENY; @@ -1773,7 +1775,7 @@ void config_test_reset(void) int config_test_all(void) { if ((config_test() < 0) || (callbacks_check() < 0) || (efunctions_check() < 0) || - reloadable_perm_module_unloaded() || !ssl_tests()) + reloadable_perm_module_unloaded() || !tls_tests()) { return 0; } @@ -2424,12 +2426,12 @@ void config_rehash() } conf_offchans = NULL; - /* Free sni { } blocks */ + /* Free sni { } blocks */ for (sni = conf_sni; sni; sni = (ConfigItem_sni *)next) { next = (ListStruct *)sni->next; SSL_CTX_free(sni->ssl_ctx); - free_ssl_options(sni->ssl_options); + free_tls_options(sni->tls_options); safefree(sni->name); MyFree(sni); } @@ -2892,7 +2894,7 @@ ConfigItem_tld *Find_tld(aClient *cptr) { if (match_user(tld->mask, cptr, MATCH_CHECK_REAL)) { - if ((tld->options & TLD_SSL) && !IsSecureConnect(cptr)) + if ((tld->options & TLD_TLS) && !IsSecureConnect(cptr)) continue; if ((tld->options & TLD_REMOTE) && MyClient(cptr)) continue; @@ -4479,8 +4481,8 @@ int _conf_tld(ConfigFile *conf, ConfigEntry *ce) ConfigEntry *cepp; for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next) { - if (!strcmp(cepp->ce_varname, "ssl")) - ca->options |= TLD_SSL; + if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) + ca->options |= TLD_TLS; else if (!strcmp(cepp->ce_varname, "remote")) ca->options |= TLD_REMOTE; } @@ -4651,7 +4653,8 @@ int _test_tld(ConfigFile *conf, ConfigEntry *ce) for (cep2 = cep->ce_entries; cep2; cep2 = cep2->ce_next) { if (strcmp(cep2->ce_varname, "ssl") && - strcmp(cep2->ce_varname, "remote")) + strcmp(cep2->ce_varname, "tls") && + strcmp(cep2->ce_varname, "remote")) { config_error_unknownopt(cep2->ce_fileptr->cf_filename, cep2->ce_varlinenum, "tld", cep2->ce_varname); @@ -4692,7 +4695,7 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce) { ConfigEntry *cep; ConfigEntry *cepp; - ConfigEntry *sslconfig = NULL; + ConfigEntry *tlsconfig = NULL; ConfigItem_listen *listen = NULL; char *ip = NULL; int start=0, end=0, port, isnew; @@ -4720,9 +4723,9 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce) tmpflags |= ofp->flag; } } else - if (!strcmp(cep->ce_varname, "ssl-options")) + if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options")) { - sslconfig = cep; + tlsconfig = cep; } else { for (h = Hooks[HOOKTYPE_CONFIGRUN]; h; h = h->next) @@ -4763,17 +4766,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce) listen->ssl_ctx = NULL; } - if (listen->ssl_options) + if (listen->tls_options) { - free_ssl_options(listen->ssl_options); - listen->ssl_options = NULL; + free_tls_options(listen->tls_options); + listen->tls_options = NULL; } - if (sslconfig) + if (tlsconfig) { - listen->ssl_options = MyMallocEx(sizeof(SSLOptions)); - conf_sslblock(conf, sslconfig, listen->ssl_options); - listen->ssl_ctx = init_ctx(listen->ssl_options, 1); + listen->tls_options = MyMallocEx(sizeof(TLSOptions)); + conf_tlsblock(conf, tlsconfig, listen->tls_options); + listen->ssl_ctx = init_ctx(listen->tls_options, 1); } } @@ -4807,17 +4810,17 @@ int _conf_listen(ConfigFile *conf, ConfigEntry *ce) listen->ssl_ctx = NULL; } - if (listen->ssl_options) + if (listen->tls_options) { - free_ssl_options(listen->ssl_options); - listen->ssl_options = NULL; + free_tls_options(listen->tls_options); + listen->tls_options = NULL; } - if (sslconfig) + if (tlsconfig) { - listen->ssl_options = MyMallocEx(sizeof(SSLOptions)); - conf_sslblock(conf, sslconfig, listen->ssl_options); - listen->ssl_ctx = init_ctx(listen->ssl_options, 1); + listen->tls_options = MyMallocEx(sizeof(TLSOptions)); + conf_tlsblock(conf, tlsconfig, listen->tls_options); + listen->ssl_ctx = init_ctx(listen->tls_options, 1); } } } @@ -4895,14 +4898,14 @@ int _test_listen(ConfigFile *conf, ConfigEntry *ce) errors++; continue; } - if (!strcmp(cepp->ce_varname, "ssl")) - have_ssl_listeners = 1; /* for ssl config test */ + if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) + have_tls_listeners = 1; /* for ssl config test */ } } else - if (!strcmp(cep->ce_varname, "ssl-options")) + if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options")) { - test_sslblock(conf, cep, &errors); + test_tlsblock(conf, cep, &errors); } else if (!cep->ce_vardata) @@ -5080,8 +5083,8 @@ int _conf_allow(ConfigFile *conf, ConfigEntry *ce) allow->flags.noident = 1; else if (!strcmp(cepp->ce_varname, "useip")) allow->flags.useip = 1; - else if (!strcmp(cepp->ce_varname, "ssl")) - allow->flags.ssl = 1; + else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) + allow->flags.tls = 1; } } } @@ -5277,7 +5280,7 @@ int _test_allow(ConfigFile *conf, ConfigEntry *ce) {} else if (!strcmp(cepp->ce_varname, "useip")) {} - else if (!strcmp(cepp->ce_varname, "ssl")) + else if (!strcmp(cepp->ce_varname, "ssl") || !strcmp(cepp->ce_varname, "tls")) {} else if (!strcmp(cepp->ce_varname, "sasl")) { @@ -6061,7 +6064,7 @@ int _test_vhost(ConfigFile *conf, ConfigEntry *ce) int _test_sni(ConfigFile *conf, ConfigEntry *ce) { int errors = 0; - ConfigEntry *cep, *sslconfig = NULL; + ConfigEntry *cep, *tlsconfig = NULL; if (!ce->ce_vardata) { @@ -6072,9 +6075,9 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce) for (cep = ce->ce_entries; cep; cep = cep->ce_next) { - if (!strcmp(cep->ce_varname, "ssl-options")) + if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options")) { - test_sslblock(conf, cep, &errors); + test_tlsblock(conf, cep, &errors); } else { config_error_unknown(cep->ce_fileptr->cf_filename, cep->ce_varlinenum, @@ -6090,7 +6093,7 @@ int _test_sni(ConfigFile *conf, ConfigEntry *ce) int _conf_sni(ConfigFile *conf, ConfigEntry *ce) { ConfigEntry *cep; - ConfigEntry *sslconfig = NULL; + ConfigEntry *tlsconfig = NULL; char *name; ConfigItem_sni *sni = NULL; @@ -6100,20 +6103,20 @@ int _conf_sni(ConfigFile *conf, ConfigEntry *ce) for (cep = ce->ce_entries; cep; cep = cep->ce_next) { - if (!strcmp(cep->ce_varname, "ssl-options")) + if (!strcmp(cep->ce_varname, "ssl-options") || !strcmp(cep->ce_varname, "tls-options")) { - sslconfig = cep; + tlsconfig = cep; } } - if (!sslconfig) + if (!tlsconfig) return 0; sni = MyMallocEx(sizeof(ConfigItem_listen)); sni->name = strdup(name); - sni->ssl_options = MyMallocEx(sizeof(SSLOptions)); - conf_sslblock(conf, sslconfig, sni->ssl_options); - sni->ssl_ctx = init_ctx(sni->ssl_options, 1); + sni->tls_options = MyMallocEx(sizeof(TLSOptions)); + conf_tlsblock(conf, tlsconfig, sni->tls_options); + sni->ssl_ctx = init_ctx(sni->tls_options, 1); AddListItem(sni, conf_sni); return 1; @@ -6333,11 +6336,11 @@ int _conf_link(ConfigFile *conf, ConfigEntry *ce) link->outgoing.options |= ofp->flag; } } - else if (!strcmp(cepp->ce_varname, "ssl-options")) + else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options")) { - link->ssl_options = MyMallocEx(sizeof(SSLOptions)); - conf_sslblock(conf, cepp, link->ssl_options); - link->ssl_ctx = init_ctx(link->ssl_options, 0); + link->tls_options = MyMallocEx(sizeof(TLSOptions)); + conf_tlsblock(conf, cepp, link->tls_options); + link->ssl_ctx = init_ctx(link->tls_options, 0); } } } @@ -6495,7 +6498,7 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce) { if (!strcmp(ceppp->ce_varname, "autoconnect")) ; - else if (!strcmp(ceppp->ce_varname, "ssl")) + else if (!strcmp(ceppp->ce_varname, "ssl") || strcmp(ceppp->ce_varname, "tls")) ; else if (!strcmp(ceppp->ce_varname, "insecure")) ; @@ -6508,9 +6511,9 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce) // TODO: validate more options (?) and use list rather than code here... } } - else if (!strcmp(cepp->ce_varname, "ssl-options")) + else if (!strcmp(cepp->ce_varname, "ssl-options") || !strcmp(cepp->ce_varname, "tls-options")) { - test_sslblock(conf, cepp, &errors); + test_tlsblock(conf, cepp, &errors); } else { @@ -6997,7 +7000,7 @@ int _test_require(ConfigFile *conf, ConfigEntry *ce) #define CheckNullAllowEmpty(x) if ((!(x)->ce_vardata)) { config_error("%s:%i: missing parameter", (x)->ce_fileptr->cf_filename, (x)->ce_varlinenum); errors++; continue; } #define CheckDuplicate(cep, name, display) if (settings.has_##name) { config_warn_duplicate((cep)->ce_fileptr->cf_filename, cep->ce_varlinenum, "set::" display); continue; } else settings.has_##name = 1 -void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors) +void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors) { ConfigEntry *cepp, *ceppp; int errors = 0; @@ -7050,15 +7053,15 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors) } if (!stricmp(name, "All")) - option = SSL_PROTOCOL_ALL; + option = TLS_PROTOCOL_ALL; else if (!stricmp(name, "TLSv1")) - option = SSL_PROTOCOL_TLSV1; + option = TLS_PROTOCOL_TLSV1; else if (!stricmp(name, "TLSv1.1")) - option = SSL_PROTOCOL_TLSV1_1; + option = TLS_PROTOCOL_TLSV1_1; else if (!stricmp(name, "TLSv1.2")) - option = SSL_PROTOCOL_TLSV1_2; + option = TLS_PROTOCOL_TLSV1_2; else if (!stricmp(name, "TLSv1.3")) - option = SSL_PROTOCOL_TLSV1_3; + option = TLS_PROTOCOL_TLSV1_3; else { #ifdef SSL_OP_NO_TLSv1_3 @@ -7108,9 +7111,9 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors) else if (!strcmp(cepp->ce_varname, "options")) { for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) - if (!config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags))) + if (!config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags))) { - config_error("%s:%i: unknown SSL flag '%s'", + config_error("%s:%i: unknown SSL/TLS option '%s'", ceppp->ce_fileptr->cf_filename, ceppp->ce_varlinenum, ceppp->ce_varname); errors ++; @@ -7178,48 +7181,48 @@ void test_sslblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors) *totalerrors += errors; } -void free_ssl_options(SSLOptions *ssloptions) +void free_tls_options(TLSOptions *tlsoptions) { - if (!ssloptions) + if (!tlsoptions) return; - safefree(ssloptions->certificate_file); - safefree(ssloptions->key_file); - safefree(ssloptions->dh_file); - safefree(ssloptions->trusted_ca_file); - safefree(ssloptions->ciphers); - safefree(ssloptions->ciphersuites); - safefree(ssloptions->ecdh_curves); - safefree(ssloptions->outdated_protocols); - safefree(ssloptions->outdated_ciphers); - memset(ssloptions, 0, sizeof(SSLOptions)); - MyFree(ssloptions); + safefree(tlsoptions->certificate_file); + safefree(tlsoptions->key_file); + safefree(tlsoptions->dh_file); + safefree(tlsoptions->trusted_ca_file); + safefree(tlsoptions->ciphers); + safefree(tlsoptions->ciphersuites); + safefree(tlsoptions->ecdh_curves); + safefree(tlsoptions->outdated_protocols); + safefree(tlsoptions->outdated_ciphers); + memset(tlsoptions, 0, sizeof(TLSOptions)); + MyFree(tlsoptions); } -void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) +void conf_tlsblock(ConfigFile *conf, ConfigEntry *cep, TLSOptions *tlsoptions) { ConfigEntry *cepp, *ceppp; NameValue *ofl; - /* First, inherit settings from set::options::ssl */ - if (ssloptions != tempiConf.ssl_options) + /* First, inherit settings from set::options::tls */ + if (tlsoptions != tempiConf.tls_options) { - safestrdup(ssloptions->certificate_file, tempiConf.ssl_options->certificate_file); - safestrdup(ssloptions->key_file, tempiConf.ssl_options->key_file); - safestrdup(ssloptions->dh_file, tempiConf.ssl_options->dh_file); - safestrdup(ssloptions->trusted_ca_file, tempiConf.ssl_options->trusted_ca_file); - ssloptions->protocols = tempiConf.ssl_options->protocols; - safestrdup(ssloptions->ciphers, tempiConf.ssl_options->ciphers); - safestrdup(ssloptions->ciphersuites, tempiConf.ssl_options->ciphersuites); - safestrdup(ssloptions->ecdh_curves, tempiConf.ssl_options->ecdh_curves); - safestrdup(ssloptions->outdated_protocols, tempiConf.ssl_options->outdated_protocols); - safestrdup(ssloptions->outdated_ciphers, tempiConf.ssl_options->outdated_ciphers); - ssloptions->options = tempiConf.ssl_options->options; - ssloptions->renegotiate_bytes = tempiConf.ssl_options->renegotiate_bytes; - ssloptions->renegotiate_timeout = tempiConf.ssl_options->renegotiate_timeout; - ssloptions->sts_port = tempiConf.ssl_options->sts_port; - ssloptions->sts_duration = tempiConf.ssl_options->sts_duration; - ssloptions->sts_preload = tempiConf.ssl_options->sts_preload; + safestrdup(tlsoptions->certificate_file, tempiConf.tls_options->certificate_file); + safestrdup(tlsoptions->key_file, tempiConf.tls_options->key_file); + safestrdup(tlsoptions->dh_file, tempiConf.tls_options->dh_file); + safestrdup(tlsoptions->trusted_ca_file, tempiConf.tls_options->trusted_ca_file); + tlsoptions->protocols = tempiConf.tls_options->protocols; + safestrdup(tlsoptions->ciphers, tempiConf.tls_options->ciphers); + safestrdup(tlsoptions->ciphersuites, tempiConf.tls_options->ciphersuites); + safestrdup(tlsoptions->ecdh_curves, tempiConf.tls_options->ecdh_curves); + safestrdup(tlsoptions->outdated_protocols, tempiConf.tls_options->outdated_protocols); + safestrdup(tlsoptions->outdated_ciphers, tempiConf.tls_options->outdated_ciphers); + tlsoptions->options = tempiConf.tls_options->options; + tlsoptions->renegotiate_bytes = tempiConf.tls_options->renegotiate_bytes; + tlsoptions->renegotiate_timeout = tempiConf.tls_options->renegotiate_timeout; + tlsoptions->sts_port = tempiConf.tls_options->sts_port; + tlsoptions->sts_duration = tempiConf.tls_options->sts_duration; + tlsoptions->sts_preload = tempiConf.tls_options->sts_preload; } /* Now process the options */ @@ -7227,15 +7230,15 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) { if (!strcmp(cepp->ce_varname, "ciphers") || !strcmp(cepp->ce_varname, "server-cipher-list")) { - safestrdup(ssloptions->ciphers, cepp->ce_vardata); + safestrdup(tlsoptions->ciphers, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "ciphersuites")) { - safestrdup(ssloptions->ciphersuites, cepp->ce_vardata); + safestrdup(tlsoptions->ciphersuites, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "ecdh-curves")) { - safestrdup(ssloptions->ecdh_curves, cepp->ce_vardata); + safestrdup(tlsoptions->ecdh_curves, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "protocols")) { @@ -7244,7 +7247,7 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) char modifier; strlcpy(copy, cepp->ce_vardata, sizeof(copy)); - ssloptions->protocols = 0; + tlsoptions->protocols = 0; for (name = strtoken(&p, copy, ","); name; name = strtoken(&p, NULL, ",")) { modifier = '\0'; @@ -7257,24 +7260,24 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) } if (!stricmp(name, "All")) - option = SSL_PROTOCOL_ALL; + option = TLS_PROTOCOL_ALL; else if (!stricmp(name, "TLSv1")) - option = SSL_PROTOCOL_TLSV1; + option = TLS_PROTOCOL_TLSV1; else if (!stricmp(name, "TLSv1.1")) - option = SSL_PROTOCOL_TLSV1_1; + option = TLS_PROTOCOL_TLSV1_1; else if (!stricmp(name, "TLSv1.2")) - option = SSL_PROTOCOL_TLSV1_2; + option = TLS_PROTOCOL_TLSV1_2; else if (!stricmp(name, "TLSv1.3")) - option = SSL_PROTOCOL_TLSV1_3; + option = TLS_PROTOCOL_TLSV1_3; if (option) { if (modifier == '\0') - ssloptions->protocols = option; + tlsoptions->protocols = option; else if (modifier == '+') - ssloptions->protocols |= option; + tlsoptions->protocols |= option; else if (modifier == '-') - ssloptions->protocols &= ~option; + tlsoptions->protocols &= ~option; } } } @@ -7285,50 +7288,50 @@ void conf_sslblock(ConfigFile *conf, ConfigEntry *cep, SSLOptions *ssloptions) else if (!strcmp(cepp->ce_varname, "certificate")) { convert_to_absolute_path(&cepp->ce_vardata, CONFDIR); - safestrdup(ssloptions->certificate_file, cepp->ce_vardata); + safestrdup(tlsoptions->certificate_file, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "key")) { convert_to_absolute_path(&cepp->ce_vardata, CONFDIR); - safestrdup(ssloptions->key_file, cepp->ce_vardata); + safestrdup(tlsoptions->key_file, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "trusted-ca-file")) { convert_to_absolute_path(&cepp->ce_vardata, CONFDIR); - safestrdup(ssloptions->trusted_ca_file, cepp->ce_vardata); + safestrdup(tlsoptions->trusted_ca_file, cepp->ce_vardata); } else if (!strcmp(cepp->ce_varname, "renegotiate-bytes")) { - ssloptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE); + tlsoptions->renegotiate_bytes = config_checkval(cepp->ce_vardata, CFG_SIZE); } else if (!strcmp(cepp->ce_varname, "renegotiate-timeout")) { - ssloptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME); + tlsoptions->renegotiate_timeout = config_checkval(cepp->ce_vardata, CFG_TIME); } else if (!strcmp(cepp->ce_varname, "options")) { - ssloptions->options = 0; + tlsoptions->options = 0; for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) { - ofl = config_binary_flags_search(_SSLFlags, ceppp->ce_varname, ARRAY_SIZEOF(_SSLFlags)); + ofl = config_binary_flags_search(_TLSFlags, ceppp->ce_varname, ARRAY_SIZEOF(_TLSFlags)); if (ofl) /* this should always be true */ - ssloptions->options |= ofl->flag; + tlsoptions->options |= ofl->flag; } } else if (!strcmp(cepp->ce_varname, "sts-policy")) { /* We do not inherit ::sts-policy if there is a specific block for this one... */ - ssloptions->sts_port = 0; - ssloptions->sts_duration = 0; - ssloptions->sts_preload = 0; + tlsoptions->sts_port = 0; + tlsoptions->sts_duration = 0; + tlsoptions->sts_preload = 0; for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) { if (!strcmp(ceppp->ce_varname, "port")) - ssloptions->sts_port = atoi(ceppp->ce_vardata); + tlsoptions->sts_port = atoi(ceppp->ce_vardata); else if (!strcmp(ceppp->ce_varname, "duration")) - ssloptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME); + tlsoptions->sts_duration = config_checkval(ceppp->ce_vardata, CFG_TIME); else if (!strcmp(ceppp->ce_varname, "preload")) - ssloptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO); + tlsoptions->sts_preload = config_checkval(ceppp->ce_vardata, CFG_YESNO); } } } @@ -7628,8 +7631,8 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce) else if (!strcmp(cepp->ce_varname, "show-connect-info")) { tempiConf.show_connect_info = 1; } - else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) { - tempiConf.no_connect_ssl_info = 1; + else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) { + tempiConf.no_connect_tls_info = 1; } else if (!strcmp(cepp->ce_varname, "dont-resolve")) { tempiConf.dont_resolve = 1; @@ -7742,9 +7745,9 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce) int v = atoi(cep->ce_vardata); tempiConf.quit_length = v; } - else if (!strcmp(cep->ce_varname, "ssl")) { - /* no need to alloc tempiConf.ssl_options since config_defaults() already ensures it exists */ - conf_sslblock(conf, cep, tempiConf.ssl_options); + else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) { + /* no need to alloc tempiConf.tls_options since config_defaults() already ensures it exists */ + conf_tlsblock(conf, cep, tempiConf.tls_options); } else if (!strcmp(cep->ce_varname, "plaintext-policy")) { @@ -8529,8 +8532,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce) else if (!strcmp(cepp->ce_varname, "show-connect-info")) { CheckDuplicate(cepp, options_show_connect_info, "options::show-connect-info"); } - else if (!strcmp(cepp->ce_varname, "no-connect-ssl-info")) { - CheckDuplicate(cepp, options_no_connect_ssl_info, "options::no-connect-ssl-info"); + else if (!strcmp(cepp->ce_varname, "no-connect-tls-info")) { + CheckDuplicate(cepp, options_no_connect_tls_info, "options::no-connect-tls-info"); } else if (!strcmp(cepp->ce_varname, "dont-resolve")) { CheckDuplicate(cepp, options_dont_resolve, "options::dont-resolve"); @@ -8780,8 +8783,8 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce) errors++; } } - else if (!strcmp(cep->ce_varname, "ssl")) { - test_sslblock(conf, cep, &errors); + else if (!strcmp(cep->ce_varname, "ssl") || !strcmp(cep->ce_varname, "tls")) { + test_tlsblock(conf, cep, &errors); } else if (!strcmp(cep->ce_varname, "plaintext-policy")) { @@ -9147,16 +9150,16 @@ void start_listeners(void) ircd_log(LOG_ERROR, "UnrealIRCd is now also listening on %s:%d (%s)%s", listenptr->ip, listenptr->port, listenptr->ipv6 ? "IPv6" : "IPv4", - listenptr->options & LISTENER_SSL ? " (SSL)" : ""); + listenptr->options & LISTENER_TLS ? " (SSL/TLS)" : ""); } else { if (listenptr->ipv6) snprintf(boundmsg_ipv6+strlen(boundmsg_ipv6), sizeof(boundmsg_ipv6)-strlen(boundmsg_ipv6), "%s:%d%s, ", listenptr->ip, listenptr->port, - listenptr->options & LISTENER_SSL ? "(SSL)" : ""); + listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : ""); else snprintf(boundmsg_ipv4+strlen(boundmsg_ipv4), sizeof(boundmsg_ipv4)-strlen(boundmsg_ipv4), "%s:%d%s, ", listenptr->ip, listenptr->port, - listenptr->options & LISTENER_SSL ? "(SSL)" : ""); + listenptr->options & LISTENER_TLS ? "(SSL/TLS)" : ""); } } } @@ -10212,10 +10215,10 @@ void link_cleanup(ConfigItem_link *link_ptr) SSL_CTX_free(link_ptr->ssl_ctx); link_ptr->ssl_ctx = NULL; } - if (link_ptr->ssl_options) + if (link_ptr->tls_options) { - free_ssl_options(link_ptr->ssl_options); - link_ptr->ssl_options = NULL; + free_tls_options(link_ptr->tls_options); + link_ptr->tls_options = NULL; } } @@ -10259,7 +10262,7 @@ void listen_cleanup() if (listen_ptr->flag.temporary && !listen_ptr->clients) { safefree(listen_ptr->ip); - free_ssl_options(listen_ptr->ssl_options); + free_tls_options(listen_ptr->tls_options); DelListItem(listen_ptr, conf_listen); MyFree(listen_ptr); i++; @@ -10547,12 +10550,12 @@ void load_includes(void) inc->flag.type &= ~INCLUDE_NOTLOADED; } -int ssl_tests(void) +int tls_tests(void) { - if (have_ssl_listeners == 0) + if (have_tls_listeners == 0) { - config_error("Your server is not listening on any SSL ports."); - config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { ssl; }; };", + config_error("Your server is not listening on any SSL/TLS ports."); + config_status("Add this to your unrealircd.conf: listen { ip %s; port 6697; options { tls; }; };", port_6667_ip ? port_6667_ip : "*"); config_status("See https://www.unrealircd.org/docs/FAQ#Your_server_is_not_listening_on_any_SSL_ports"); return 0; diff --git a/src/crashreport.c b/src/crashreport.c index fbc40b3cb..d938f1aa2 100644 --- a/src/crashreport.c +++ b/src/crashreport.c @@ -458,7 +458,7 @@ SSL_CTX *crashreport_init_ssl(void) SSL_CTX_set_options(ctx_client, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); /* Verify peer certificate */ - snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR); + snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR); SSL_CTX_load_verify_locations(ctx_client, buf, NULL); SSL_CTX_set_verify(ctx_client, SSL_VERIFY_PEER, NULL); diff --git a/src/ircd.c b/src/ircd.c index 7db0dc5dd..33c2249e9 100644 --- a/src/ircd.c +++ b/src/ircd.c @@ -510,7 +510,7 @@ int check_ping(aClient *cptr) ) { if (IsServer(cptr) || IsConnecting(cptr) || - IsHandshake(cptr) || IsSSLConnectHandshake(cptr)) + IsHandshake(cptr) || IsTLSConnectHandshake(cptr)) { sendto_ops_and_log ("No response from %s, closing link", @@ -520,7 +520,7 @@ int check_ping(aClient *cptr) me.name, get_client_name(cptr, FALSE)); } - if (IsSSLAcceptHandshake(cptr)) + if (IsTLSAcceptHandshake(cptr)) Debug((DEBUG_DEBUG, "ssl accept handshake timeout: %s (%li-%li > %li)", cptr->local->sockhost, TStime(), cptr->local->since, ping)); (void)ircsnprintf(scratch, sizeof(scratch), "Ping timeout: %ld seconds", @@ -545,7 +545,7 @@ int check_ping(aClient *cptr) } else if (!IsPingWarning(cptr) && PINGWARNING > 0 && (IsServer(cptr) || IsHandshake(cptr) || IsConnecting(cptr) || - IsSSLConnectHandshake(cptr)) && + IsTLSConnectHandshake(cptr)) && (TStime() - cptr->local->lasttime) >= (ping + PINGWARNING)) { SetPingWarning(cptr); diff --git a/src/list.c b/src/list.c index ec351c0f7..9caa3e697 100644 --- a/src/list.c +++ b/src/list.c @@ -319,7 +319,7 @@ void remove_client_from_list(aClient *cptr) cptr->srvptr->serv->users--; } if (IsUnknown(cptr) || IsConnecting(cptr) || IsHandshake(cptr) - || IsSSLHandshake(cptr) + || IsTLSHandshake(cptr) ) IRCstats.unknown--; diff --git a/src/modules/certfp.c b/src/modules/certfp.c index 56196a3e4..eb83c339c 100644 --- a/src/modules/certfp.c +++ b/src/modules/certfp.c @@ -123,7 +123,7 @@ int certfp_connect(aClient *acptr) { char *fp = moddata_client_get(acptr, "certfp"); - if (fp && !iConf.no_connect_ssl_info) + if (fp && !iConf.no_connect_tls_info) sendnotice(acptr, "*** Your SSL fingerprint is %s", fp); } diff --git a/src/modules/nick.c b/src/modules/nick.c index 26dd614f9..2b74f840f 100644 --- a/src/modules/nick.c +++ b/src/modules/nick.c @@ -1426,7 +1426,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha if (IsSecureConnect(sptr)) { - if (sptr->local->ssl && !iConf.no_connect_ssl_info) + if (sptr->local->ssl && !iConf.no_connect_tls_info) { sendnotice(sptr, "*** You are connected to %s with %s", me.name, ssl_get_cipher(sptr->local->ssl)); @@ -1713,7 +1713,7 @@ int AllowClient(aClient *cptr, struct hostent *hp, char *sockhost, char *usernam goto attach; if (aconf->auth && !cptr->local->passwd) continue; - if (aconf->flags.ssl && !IsSecure(cptr)) + if (aconf->flags.tls && !IsSecure(cptr)) continue; if (hp && hp->h_name) { diff --git a/src/modules/server.c b/src/modules/server.c index 0bc4a7b3d..69545cf24 100644 --- a/src/modules/server.c +++ b/src/modules/server.c @@ -365,7 +365,7 @@ skip_host_check: { char *errstr = NULL; - if (!IsSSL(cptr)) + if (!IsTLS(cptr)) { sendto_one(cptr, NULL, "ERROR :Link '%s' denied (Not using SSL/TLS) %s", diff --git a/src/modules/starttls.c b/src/modules/starttls.c index 57b622436..c1a66d7d0 100644 --- a/src/modules/starttls.c +++ b/src/modules/starttls.c @@ -63,13 +63,13 @@ MOD_UNLOAD(starttls) CMD_FUNC(m_starttls) { SSL_CTX *ctx; - int ssl_options; + int tls_options; if (!MyConnect(sptr) || !IsUnknown(sptr)) return 0; ctx = sptr->local->listener->ssl_ctx ? sptr->local->listener->ssl_ctx : ctx_server; - ssl_options = sptr->local->listener->ssl_options ? sptr->local->listener->ssl_options->options : iConf.ssl_options->options; + tls_options = sptr->local->listener->tls_options ? sptr->local->listener->tls_options->options : iConf.tls_options->options; /* Is SSL support enabled? (may not, if failed to load cert/keys/..) */ if (!ctx) @@ -80,7 +80,7 @@ CMD_FUNC(m_starttls) } /* Is STARTTLS disabled? (same response as above) */ - if (ssl_options & SSLFLAG_NOSTARTTLS) + if (tls_options & TLSFLAG_NOSTARTTLS) { sendnumeric(sptr, ERR_NOTREGISTERED); return 0; @@ -96,11 +96,11 @@ CMD_FUNC(m_starttls) sendnumeric(sptr, RPL_STARTTLS); send_queued(sptr); - SetSSLStartTLSHandshake(sptr); + SetStartTLSHandshake(sptr); Debug((DEBUG_DEBUG, "Starting SSL handshake (due to STARTTLS) for %s", sptr->local->sockhost)); if ((sptr->local->ssl = SSL_new(ctx)) == NULL) goto fail; - sptr->flags |= FLAGS_SSL; + sptr->flags |= FLAGS_TLS; SSL_set_fd(sptr->local->ssl, sptr->fd); SSL_set_nonblocking(sptr->local->ssl); if (!ircd_SSL_accept(sptr, sptr->fd)) { @@ -117,7 +117,7 @@ fail: /* Failure */ sendnumeric(sptr, ERR_STARTTLS, "STARTTLS failed"); sptr->local->ssl = NULL; - sptr->flags &= ~FLAGS_SSL; + sptr->flags &= ~FLAGS_TLS; SetUnknown(sptr); return 0; } diff --git a/src/modules/stats.c b/src/modules/stats.c index 9f1a3be5e..468c6c74c 100644 --- a/src/modules/stats.c +++ b/src/modules/stats.c @@ -431,7 +431,7 @@ int stats_links(aClient *sptr, char *para) link_p->outgoing.port, link_p->class->name, (link_p->outgoing.options & CONNECT_AUTO) ? "a" : "", - (link_p->outgoing.options & CONNECT_SSL) ? "S" : "", + (link_p->outgoing.options & CONNECT_TLS) ? "S" : "", (link_p->flag.temporary == 1) ? "T" : ""); #ifdef DEBUGMODE sendnotice(sptr, "%s (%p) has refcount %d", @@ -558,8 +558,8 @@ static char *stats_port_helper(ConfigItem_listen *listener) ircsnprintf(buf, sizeof(buf), "%s%s%s%s", (listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "", (listener->options & LISTENER_SERVERSONLY)? "serversonly ": "", - (listener->options & LISTENER_SSL)? "ssl ": "", - !(listener->options & LISTENER_SSL)? "plaintext ": ""); + (listener->options & LISTENER_TLS)? "ssl ": "", + !(listener->options & LISTENER_TLS)? "plaintext ": ""); return buf; } @@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para) sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON); sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME)); sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`"); - sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.ssl_options->certificate_file)); - sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.ssl_options->key_file)); - sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.ssl_options->trusted_ca_file)); - sendtxtnumeric(sptr, "ssl::options: %s", iConf.ssl_options->options & SSLFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : ""); + sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file)); + sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file)); + sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file)); + sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : ""); sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD); sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES); sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK); sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN); sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO); - sendtxtnumeric(sptr, "options::no-connect-ssl-info: %d", NOCONNECTSSLINFO); + sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO); sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE); sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE); sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS); diff --git a/src/modules/sts.c b/src/modules/sts.c index 21aadde42..513ab167d 100644 --- a/src/modules/sts.c +++ b/src/modules/sts.c @@ -57,20 +57,20 @@ MOD_UNLOAD(sts) */ int sts_capability_visible(aClient *acptr) { - SSLOptions *ssl; + TLSOptions *ssl; /* This is possible if queried from the CAP NEW/DEL code */ if (acptr == NULL) - return (iConf.ssl_options && iConf.ssl_options->sts_port) ? 1 : 0; + return (iConf.tls_options && iConf.tls_options->sts_port) ? 1 : 0; if (!IsSecure(acptr)) { - if (iConf.ssl_options && iConf.ssl_options->sts_port) + if (iConf.tls_options && iConf.tls_options->sts_port) return 1; /* YES, non-SSL user and set::ssl::sts-policy configured */ return 0; /* NO, there is no sts-policy */ } - ssl = FindSSLOptionsForUser(acptr); + ssl = FindTLSOptionsForUser(acptr); if (ssl && ssl->sts_port) return 1; @@ -80,13 +80,13 @@ int sts_capability_visible(aClient *acptr) char *sts_capability_parameter(aClient *acptr) { - SSLOptions *ssl; + TLSOptions *ssl; static char buf[256]; if (IsSecure(acptr)) - ssl = FindSSLOptionsForUser(acptr); + ssl = FindTLSOptionsForUser(acptr); else - ssl = iConf.ssl_options; + ssl = iConf.tls_options; if (!ssl) return ""; /* This would be odd. */ diff --git a/src/modules/trace.c b/src/modules/trace.c index 11af5957d..b1035b875 100644 --- a/src/modules/trace.c +++ b/src/modules/trace.c @@ -210,11 +210,11 @@ CMD_FUNC(m_trace) cnt++; break; #ifdef USE_SSL - case STAT_SSL_CONNECT_HANDSHAKE: + case STAT_TLS_CONNECT_HANDSHAKE: sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name); cnt++; break; - case STAT_SSL_ACCEPT_HANDSHAKE: + case STAT_TLS_ACCEPT_HANDSHAKE: sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name); cnt++; break; diff --git a/src/serv.c b/src/serv.c index aaaf41496..bafbbf1a5 100644 --- a/src/serv.c +++ b/src/serv.c @@ -397,12 +397,12 @@ char *get_cptr_status(aClient *acptr) *p++ = 'S'; if (acptr->umodes & LISTENER_CLIENTSONLY) *p++ = 'C'; - if (acptr->umodes & LISTENER_SSL) + if (acptr->umodes & LISTENER_TLS) *p++ = 's'; } else { - if (acptr->flags & FLAGS_SSL) + if (acptr->flags & FLAGS_TLS) *p++ = 's'; } *p++ = ']'; diff --git a/src/socket.c b/src/socket.c index e17b7bf04..6f3bd2323 100644 --- a/src/socket.c +++ b/src/socket.c @@ -48,7 +48,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read) if (IsDead(cptr) || (!IsServer(cptr) && !IsPerson(cptr) && !IsHandshake(cptr) - && !IsSSLHandshake(cptr) + && !IsTLSHandshake(cptr) && !IsUnknown(cptr))) { @@ -59,7 +59,7 @@ int deliver_it(aClient *cptr, char *str, int len, int *want_read) return -1; } - if (IsSSL(cptr) && cptr->local->ssl != NULL) + if (IsTLS(cptr) && cptr->local->ssl != NULL) { retval = SSL_write(cptr->local->ssl, str, len); diff --git a/src/ssl.c b/src/ssl.c index de463546d..109a2bd03 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -227,7 +227,7 @@ static int setup_dh_params(SSL_CTX *ctx) { DH *dh; BIO *bio; - char *dh_file = iConf.ssl_options ? iConf.ssl_options->dh_file : tempiConf.ssl_options->dh_file; + char *dh_file = iConf.tls_options ? iConf.tls_options->dh_file : tempiConf.tls_options->dh_file; /* ^^ because we can be called both before config file initalization or after */ if (dh_file == NULL) @@ -256,7 +256,7 @@ static int setup_dh_params(SSL_CTX *ctx) } /** Disable SSL/TLS protocols as set by config */ -void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions) +void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions) { /* OpenSSL has two mechanisms for protocol version control: * @@ -275,12 +275,12 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions) * minimum protocol version to begin with. */ #ifdef HAS_SSL_CTX_SET_MIN_PROTO_VERSION - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1) && - !(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1) && + !(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1)) { SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); } else - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1)) { SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); } else @@ -292,27 +292,27 @@ void disable_ssl_protocols(SSL_CTX *ctx, SSLOptions *ssloptions) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); /* always disable SSLv3 */ #ifdef SSL_OP_NO_TLSv1 - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); #endif #ifdef SSL_OP_NO_TLSv1_1 - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_1)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_1)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); #endif #ifdef SSL_OP_NO_TLSv1_2 - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_2)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_2)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); #endif #ifdef SSL_OP_NO_TLSv1_3 - if (!(ssloptions->protocols & SSL_PROTOCOL_TLSV1_3)) + if (!(tlsoptions->protocols & TLS_PROTOCOL_TLSV1_3)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); #endif } -SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) +SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server) { SSL_CTX *ctx; char *errstr = NULL; @@ -328,10 +328,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) config_report_ssl_error(); return NULL; } - disable_ssl_protocols(ctx, ssloptions); + disable_ssl_protocols(ctx, tlsoptions); SSL_CTX_set_default_passwd_cb(ctx, ssl_pem_passwd_cb); - if (server && !(ssloptions->options & SSLFLAG_DISABLECLIENTCERT)) + if (server && !(tlsoptions->options & TLSFLAG_DISABLECLIENTCERT)) { /* We tell OpenSSL/LibreSSL to verify the certificate and set our callback. * Our callback will always accept the certificate since actual checking @@ -340,7 +340,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) * _verify_link() will take care of it only after we learned what server * we are dealing with (and if we should verify certificates for that server). */ - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (ssloptions->options & SSLFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE | (tlsoptions->options & TLSFLAG_FAILIFNOCERT ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), ssl_verify_callback); } SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); #ifndef SSL_OP_NO_TICKET @@ -351,30 +351,30 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) if (!setup_dh_params(ctx)) goto fail; - if (!ssloptions->certificate_file) + if (!tlsoptions->certificate_file) { config_error("No SSL certificate configured (set::options::ssl::certificate or in a listen block)"); config_report_ssl_error(); goto fail; } - if (SSL_CTX_use_certificate_chain_file(ctx, ssloptions->certificate_file) <= 0) + if (SSL_CTX_use_certificate_chain_file(ctx, tlsoptions->certificate_file) <= 0) { - config_error("Failed to load SSL certificate %s", ssloptions->certificate_file); + config_error("Failed to load SSL certificate %s", tlsoptions->certificate_file); config_report_ssl_error(); goto fail; } - if (!ssloptions->key_file) + if (!tlsoptions->key_file) { config_error("No SSL key configured (set::options::ssl::key or in a listen block)"); config_report_ssl_error(); goto fail; } - if (SSL_CTX_use_PrivateKey_file(ctx, ssloptions->key_file, SSL_FILETYPE_PEM) <= 0) + if (SSL_CTX_use_PrivateKey_file(ctx, tlsoptions->key_file, SSL_FILETYPE_PEM) <= 0) { - config_error("Failed to load SSL private key %s", ssloptions->key_file); + config_error("Failed to load SSL private key %s", tlsoptions->key_file); config_report_ssl_error(); goto fail; } @@ -386,7 +386,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) goto fail; } - if (SSL_CTX_set_cipher_list(ctx, ssloptions->ciphers) == 0) + if (SSL_CTX_set_cipher_list(ctx, tlsoptions->ciphers) == 0) { config_error("Failed to set SSL cipher list"); config_report_ssl_error(); @@ -394,7 +394,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) } #ifdef SSL_OP_NO_TLSv1_3 - if (SSL_CTX_set_ciphersuites(ctx, ssloptions->ciphersuites) == 0) + if (SSL_CTX_set_ciphersuites(ctx, tlsoptions->ciphersuites) == 0) { config_error("Failed to set SSL ciphersuites list"); config_report_ssl_error(); @@ -413,11 +413,11 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) if (server) SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - if (ssloptions->trusted_ca_file) + if (tlsoptions->trusted_ca_file) { - if (!SSL_CTX_load_verify_locations(ctx, ssloptions->trusted_ca_file, NULL)) + if (!SSL_CTX_load_verify_locations(ctx, tlsoptions->trusted_ca_file, NULL)) { - config_error("Failed to load Trusted CA's from %s", ssloptions->trusted_ca_file); + config_error("Failed to load Trusted CA's from %s", tlsoptions->trusted_ca_file); config_report_ssl_error(); goto fail; } @@ -441,10 +441,10 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) */ #endif /* Let's see if we need to (and can) set specific curves */ - if (ssloptions->ecdh_curves) + if (tlsoptions->ecdh_curves) { #ifdef HAS_SSL_CTX_SET1_CURVES_LIST - if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves)) + if (!SSL_CTX_set1_curves_list(ctx, tlsoptions->ecdh_curves)) { config_error("Failed to apply ecdh-curves '%s'. " "To get a list of supported curves with the " @@ -452,7 +452,7 @@ SSL_CTX *init_ctx(SSLOptions *ssloptions, int server) "'openssl ecparam -list_curves' on the server. " "Separate multiple curves by colon, " "for example: ecdh-curves \"secp521r1:secp384r1\".", - ssloptions->ecdh_curves); + tlsoptions->ecdh_curves); config_report_ssl_error(); goto fail; } @@ -496,10 +496,10 @@ int early_init_ssl(void) int init_ssl(void) { /* SSL preliminaries. We keep the certificate and key with the context. */ - ctx_server = init_ctx(iConf.ssl_options, 1); + ctx_server = init_ctx(iConf.tls_options, 1); if (!ctx_server) return 0; - ctx_client = init_ctx(iConf.ssl_options, 0); + ctx_client = init_ctx(iConf.tls_options, 0); if (!ctx_client) return 0; return 1; @@ -521,7 +521,7 @@ void reinit_ssl(aClient *acptr) mylog("%s requested a reload of all SSL related data (/rehash -ssl)", acptr->name); - tmp = init_ctx(iConf.ssl_options, 1); + tmp = init_ctx(iConf.tls_options, 1); if (!tmp) { config_error("SSL Reload failed."); @@ -530,7 +530,7 @@ void reinit_ssl(aClient *acptr) } ctx_server = tmp; /* activate */ - tmp = init_ctx(iConf.ssl_options, 0); + tmp = init_ctx(iConf.tls_options, 0); if (!tmp) { config_error("SSL Reload partially failed. Server context is reloaded, client context failed"); @@ -542,9 +542,9 @@ void reinit_ssl(aClient *acptr) /* listen::ssl-options.... */ for (listen = conf_listen; listen; listen = listen->next) { - if (listen->ssl_options) + if (listen->tls_options) { - tmp = init_ctx(listen->ssl_options, 1); + tmp = init_ctx(listen->tls_options, 1); if (!tmp) { config_error("SSL Reload partially failed. listen::ssl-options error, see above"); @@ -558,9 +558,9 @@ void reinit_ssl(aClient *acptr) /* sni::ssl-options.... */ for (sni = conf_sni; sni; sni = sni->next) { - if (sni->ssl_options) + if (sni->tls_options) { - tmp = init_ctx(sni->ssl_options, 1); + tmp = init_ctx(sni->tls_options, 1); if (!tmp) { config_error("SSL Reload partially failed. sni::ssl-options error, see above"); @@ -574,9 +574,9 @@ void reinit_ssl(aClient *acptr) /* link::outgoing::ssl-options.... */ for (link = conf_link; link; link = link->next) { - if (link->ssl_options) + if (link->tls_options) { - tmp = init_ctx(link->ssl_options, 1); + tmp = init_ctx(link->tls_options, 1); if (!tmp) { config_error("SSL Reload partially failed. link::outgoing::ssl-options error in link %s { }, see above", @@ -612,15 +612,15 @@ char *ssl_get_cipher(SSL *ssl) /** Get the applicable ::ssl-options block for this local client, * which may be defined in the link block, listen block, or set block. */ -SSLOptions *get_ssl_options_for_client(aClient *acptr) +TLSOptions *get_tls_options_for_client(aClient *acptr) { if (!acptr->local) return NULL; - if (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_options) - return acptr->serv->conf->ssl_options; - if (acptr->local && acptr->local->listener && acptr->local->listener->ssl_options) - return acptr->local->listener->ssl_options; - return iConf.ssl_options; + if (acptr->serv && acptr->serv->conf && acptr->serv->conf->tls_options) + return acptr->serv->conf->tls_options; + if (acptr->local && acptr->local->listener && acptr->local->listener->tls_options) + return acptr->local->listener->tls_options; + return iConf.tls_options; } /** Outgoing SSL connect (read: handshake) to another server. */ @@ -628,7 +628,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data) { aClient *acptr = data; SSL_CTX *ctx = (acptr->serv && acptr->serv->conf && acptr->serv->conf->ssl_ctx) ? acptr->serv->conf->ssl_ctx : ctx_client; - SSLOptions *ssloptions = get_ssl_options_for_client(acptr); + TLSOptions *tlsoptions = get_tls_options_for_client(acptr); if (!ctx) { @@ -647,16 +647,16 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data) SSL_set_connect_state(acptr->local->ssl); SSL_set_nonblocking(acptr->local->ssl); - if (ssloptions->renegotiate_bytes > 0) + if (tlsoptions->renegotiate_bytes > 0) { - BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_bytes); - BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_bytes); + BIO_set_ssl_renegotiate_bytes(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_bytes); + BIO_set_ssl_renegotiate_bytes(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_bytes); } - if (ssloptions->renegotiate_timeout > 0) + if (tlsoptions->renegotiate_timeout > 0) { - BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), ssloptions->renegotiate_timeout); - BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), ssloptions->renegotiate_timeout); + BIO_set_ssl_renegotiate_timeout(SSL_get_rbio(acptr->local->ssl), tlsoptions->renegotiate_timeout); + BIO_set_ssl_renegotiate_timeout(SSL_get_wbio(acptr->local->ssl), tlsoptions->renegotiate_timeout); } if (acptr->serv && acptr->serv->conf) @@ -665,7 +665,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data) SSL_set_tlsext_host_name(acptr->local->ssl, acptr->serv->conf->servername); } - acptr->flags |= FLAGS_SSL; + acptr->flags |= FLAGS_TLS; switch (ircd_SSL_connect(acptr, fd)) { @@ -675,8 +675,8 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data) --OpenFiles; return; case 0: - Debug((DEBUG_DEBUG, "SetSSLConnectHandshake(%s)", get_client_name(acptr, TRUE))); - SetSSLConnectHandshake(acptr); + Debug((DEBUG_DEBUG, "SetTLSConnectHandshake(%s)", get_client_name(acptr, TRUE))); + SetTLSConnectHandshake(acptr); return; case 1: Debug((DEBUG_DEBUG, "SSL_init_finished should finish this job (%s)", get_client_name(acptr, TRUE))); @@ -935,7 +935,7 @@ int client_starttls(aClient *acptr) if ((acptr->local->ssl = SSL_new(ctx_client)) == NULL) goto fail_starttls; - acptr->flags |= FLAGS_SSL; + acptr->flags |= FLAGS_TLS; SSL_set_fd(acptr->local->ssl, acptr->fd); SSL_set_nonblocking(acptr->local->ssl); @@ -961,19 +961,19 @@ fail_starttls: /* Failure */ sendnumeric(acptr, ERR_STARTTLS, "STARTTLS failed"); acptr->local->ssl = NULL; - acptr->flags &= ~FLAGS_SSL; + acptr->flags &= ~FLAGS_TLS; SetUnknown(acptr); return 0; /* hm. we allow to continue anyway. not sure if we want that. */ } -/** Find the appropriate SSLOptions structure for a client. +/** Find the appropriate TLSOptions structure for a client. * NOTE: The default global SSL options will be returned if not found, * or NULL if no such options are available (unlikely, but possible?). */ -SSLOptions *FindSSLOptionsForUser(aClient *acptr) +TLSOptions *FindTLSOptionsForUser(aClient *acptr) { ConfigItem_sni *sni; - SSLOptions *sslopt = iConf.ssl_options; /* default */ + TLSOptions *sslopt = iConf.tls_options; /* default */ if (!MyConnect(acptr) || !IsSecure(acptr)) return NULL; @@ -984,7 +984,7 @@ SSLOptions *FindSSLOptionsForUser(aClient *acptr) sni = Find_sni(acptr->local->sni_servername); if (sni) { - sslopt = sni->ssl_options; + sslopt = sni->tls_options; } /* It is perfectly possible that 'name' is not found and 'sni' is NULL, * if a client used a hostname which we do not know about (eg: 'dummy'). @@ -1200,23 +1200,23 @@ char *spki_fingerprint(aClient *cptr) /** Returns 1 if the client is using an outdated protocol or cipher, 0 otherwise */ int outdated_tls_client(aClient *acptr) { - SSLOptions *ssloptions = get_ssl_options_for_client(acptr); + TLSOptions *tlsoptions = get_tls_options_for_client(acptr); char buf[1024], *name, *p; const char *client_protocol = SSL_get_version(acptr->local->ssl); const char *client_ciphersuite = SSL_get_cipher(acptr->local->ssl); int bad = 0; - if (!ssloptions) + if (!tlsoptions) return 0; /* odd.. */ - strlcpy(buf, ssloptions->outdated_protocols, sizeof(buf)); + strlcpy(buf, tlsoptions->outdated_protocols, sizeof(buf)); for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ",")) { if (!_match(name, client_protocol)) return 1; /* outdated protocol */ } - strlcpy(buf, ssloptions->outdated_ciphers, sizeof(buf)); + strlcpy(buf, tlsoptions->outdated_ciphers, sizeof(buf)); for (name = strtoken(&p, buf, ","); name; name = strtoken(&p, NULL, ",")) { if (!_match(name, client_ciphersuite)) diff --git a/src/url.c b/src/url.c index 93d6f64c7..4374ad8c4 100644 --- a/src/url.c +++ b/src/url.c @@ -129,7 +129,7 @@ char *url_getfilename(const char *url) * Sets up all of the SSL options necessary to support HTTPS/FTPS * transfers. */ -static void set_curl_ssl_options(CURL *curl) +static void set_curl_tls_options(CURL *curl) { char buf[512]; @@ -138,13 +138,13 @@ static void set_curl_ssl_options(CURL *curl) * But this information is not known yet since the configuration file has not been * parsed yet at this point. */ - curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.ssl_options->certificate_file); + curl_easy_setopt(curl, CURLOPT_SSLCERT, iConf.tls_options->certificate_file); if (SSLKeyPasswd) curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, SSLKeyPasswd); - curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.ssl_options->key_file); + curl_easy_setopt(curl, CURLOPT_SSLKEY, iConf.tls_options->key_file); #endif - snprintf(buf, sizeof(buf), "%s/ssl/curl-ca-bundle.crt", CONFDIR); + snprintf(buf, sizeof(buf), "%s/tls/curl-ca-bundle.crt", CONFDIR); curl_easy_setopt(curl, CURLOPT_CAINFO, buf); } @@ -218,7 +218,7 @@ char *download_file(const char *url, char **error) */ curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1); - set_curl_ssl_options(curl); + set_curl_tls_options(curl); bzero(errorbuf, CURL_ERROR_SIZE); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errorbuf); res = curl_easy_perform(curl); @@ -430,7 +430,7 @@ void download_file_async(const char *url, time_t cachetime, vFP callback, void * curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, do_download); curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)handle->fd); curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1); - set_curl_ssl_options(curl); + set_curl_tls_options(curl); bzero(handle->errorbuf, CURL_ERROR_SIZE); curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, handle->errorbuf); curl_easy_setopt(curl, CURLOPT_PRIVATE, (char *)handle); diff --git a/src/windows/makecert.bat b/src/windows/makecert.bat index fd232bcbd..caa412814 100755 --- a/src/windows/makecert.bat +++ b/src/windows/makecert.bat @@ -1,6 +1,6 @@ @title Certificate Generation SET OPENSSL_CONF=ssl.cnf openssl ecparam -out server.key.pem -name secp384r1 -genkey -openssl req -new -config ssl.cnf -out conf/ssl/server.req.pem -key conf/ssl/server.key.pem -nodes -openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/ssl/server.req.pem -key conf/ssl/server.key.pem -out conf/ssl/server.cert.pem +openssl req -new -config ssl.cnf -out conf/tls/server.req.pem -key conf/tls/server.key.pem -nodes +openssl req -x509 -config ssl.cnf -days 3650 -sha256 -in conf/tls/server.req.pem -key conf/tls/server.key.pem -out conf/tls/server.cert.pem diff --git a/unrealircd.in b/unrealircd.in index aabdfa37b..50b9c5517 100644 --- a/unrealircd.in +++ b/unrealircd.in @@ -211,7 +211,7 @@ __EOF__ echo "" echo "Thanks!" elif [ "$1" = "spki" -o "$1" = "spkifp" ] ; then - CERT="@CONFDIR@/ssl/server.cert.pem" + CERT="@CONFDIR@/tls/server.cert.pem" if [ "$2" != "" ]; then CERT="$2" fi