From 256308a707b648f08ab231cd31e92fdb86b67502 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Mon, 8 Sep 2025 11:05:13 +0200
Subject: [PATCH] Switch back to OpenSSL for the Windows build: * In 2016 we
 switched from OpenSSL to LibreSSL because the OpenSSL   codebase was in a bit
 of bad shape and LibreSSL promised to be a   more modern codebase. Now,
 almost a decade later, OpenSSL has had   many code cleanups and is more
 security aware (code audits etc),   especially since OpenSSL v3 things are
 looking OK and it seems   LibreSSL doesn't have much progress nowadays. Which
 is understandable   as they have a lot fewer coders available but has an
 effect on things   like how long it took for TLSv1.3 to appear and for other
 new things   like PQC. It also seems like security fixes are now slower than 
  OpenSSL instead of the other way around. Anyway, I think they did their  
 job well (together with other people) in "triggering" the OpenSSL   project
 to get things back on track. Let's switch back now. * For context: it seems
 several Linux distro's that used to do go for   LibreSSL have also switched
 back to OpenSSL. * LibreSSL is still and will continue to be a supported
 library to   use with UnrealIRCd (especially with OpenBSD and FreeBSD in
 mind).   So, if there are any issues (compile problems, configuration
 problems,   some feature not detected), then please report it on our bug
 tracker   at https://bugs.unrealircd.org/ ! We will have to rely more on such
   user-reports now that the main devs will likely only work with OpenSSL.

Also... i have cleaned up the Makefile.windows a bit to be more consistent
Hopefully i didn't make a mistake there...

[skip ci]
---
 Makefile.windows                              | 70 ++++++++-----------
 doc/RELEASE-NOTES.md                          | 12 ++--
 .../build-tests/windows/compilecmd/vs2019.bat |  6 +-
 src/windows/unrealinst.iss                    |  4 +-
 4 files changed, 42 insertions(+), 50 deletions(-)

diff --git a/Makefile.windows b/Makefile.windows
index 385d98e86..f2c4a7716 100644
--- a/Makefile.windows
+++ b/Makefile.windows
@@ -1,6 +1,8 @@
 #
-# UnrealIRCd Makefile - codemastr
+# UnrealIRCd Makefile for Windows
+# Originally written by codemastr
 #
+
 CC=cl
 LINK=link
 RC=rc
@@ -9,10 +11,19 @@ MT=mt
 ############################ USER CONFIGURATION ############################
 
 # You are encouraged NOT to set these values here, but instead make a batch file
-# which passes all these arguments to nmake, like:
-# nmake -f makefile.windows LIBRESSL_INC_DIR="c:\dev\libressl" etc etc...
-# Both ways will work, but if you use a batch file it's easier with
-# upgrading UnrealIRCd as you won't have to edit this makefile again.
+# file called "build.bat" which passes all these arguments to nmake, like:
+# nmake -f makefile.windows SSL_INC_DIR="c:\dev\unrealircd-6-libs\openssl" etc etc...
+# as explained in https://www.unrealircd.org/docs/Compiling_UnrealIRCd_on_Windows
+
+# And most likely you want the UnrealIRCd libraries pack, so you don't have
+# to compile all these libraries by yourself, see:
+# https://www.unrealircd.org/docs/Windows_external_libraries_for_UnrealIRCd
+
+### SSL/TLS ###
+#Use OpenSSL or LibreSSL. Define paths and libraries:
+#SSL_LIB_DIR="c:\dev\unrealircd-6-libs\openssl\lib"
+#SSL_INC_DIR="c:\dev\unrealircd-6-libs\openssl\include"
+#SSLLIB="libcrypto.lib libssl.lib"
 
 ### PCRE2 ###
 #PCRE2_LIB_DIR="C:\dev\pcre2\build\release"
@@ -44,47 +55,24 @@ MT=mt
 #GEOIPCLASSIC_INC_DIR="c:\dev\unrealircd-6-libs\GeoIP\libGeoIP" ^
 #GEOIPCLASSICLIB="GeoIP.lib"
 
-##### REMOTE INCLUDES ####
-#To enable remote include support you must have libcurl installed on your
-#system and it must have ares support enabled.
-#
-#
-#To enable remote includes uncomment the next line:
+### REMOTE INCLUDES ###
 #USE_REMOTEINC=1
-#
-#If your libcurl library and include files are not in your compiler's
-#default locations, specify the locations here:
-#LIBCURL_INC_DIR="c:\dev\curl\include"
-#LIBCURL_LIB_DIR="c:\dev\curl\lib"
-#
-#
-### END REMOTE INCLUDES ##
-
-####### SSL/TLS SUPPORT (MANDATORY) ######
-#Use LibreSSL or OpenSSL. Define paths and libraries:
-#LIBRESSL_INC_DIR="c:\dev\libressl\include"
-#LIBRESSL_LIB_DIR="c:\dev\libressl\lib"
-#SSLLIB=libcrypto-38.lib libssl-39.lib libtls-11.lib
-#The version numbers of the 3 libraries in the last line change
-#every libressl release. So be sure to update after any libressl upgrade.
-######### END SSL/TLS ########
+#LIBCURL_LIB_DIR="c:\dev\unrealircd-6-libs\curl\lib"
+#LIBCURL_INC_DIR="c:\dev\unrealircd-6-libs\curl\include"
 
 ###### _EXTRA_ DEBUGGING #####
 # We always build releases with debugging information, since otherwise
 # we cannot trace the source of a crash. Plus we do not mind the extra
 # performance hit caused by not enabling super-optimization, tracing
 # crashes properly is more important.
-# You can choose (at your own risk) to enable EVEN MORE debugging,
+# You can choose to (at your own risk) enable EVEN MORE debugging,
 # note that this causes /MDd to be used instead of /MD which can make
 # libraries incompatible, plus all the other side-effects such as
-# requiring a different dll we do not ship (and maybe you are not even
-# allowed to ship due to license agreements), etc...
-# In any case, this probably should not be used, unless debugging a
+# requiring a different runtime dll we do not ship (and maybe you are
+# not even allowed to ship due to license agreements), etc...
+# In any case, this probably SHOULD NOT BE USED, unless debugging a
 # problem locally, in which case it can be useful.
 #DEBUGEXTRA=1
-#
-#
-#### END RELEASE BUILD ###
 
 ############################# END CONFIGURATION ############################
 
@@ -135,11 +123,11 @@ LIBCURL_LIB=/LIBPATH:"$(LIBCURL_LIB_DIR)"
 !ENDIF
 !ENDIF
 
-!IFDEF LIBRESSL_INC_DIR
-LIBRESSL_INC=/I "$(LIBRESSL_INC_DIR)"
+!IFDEF SSL_INC_DIR
+SSL_INC=/I "$(SSL_INC_DIR)"
 !ENDIF
-!IFDEF LIBRESSL_LIB_DIR
-LIBRESSL_LIB=/LIBPATH:"$(LIBRESSL_LIB_DIR)"
+!IFDEF SSL_LIB_DIR
+SSL_LIB=/LIBPATH:"$(SSL_LIB_DIR)"
 !ENDIF
 
 !IFDEF DEBUGEXTRA
@@ -154,13 +142,13 @@ DBGLFLAG=/debug
 MODDBGCFLAG=/LDd /MD /Zi
 !ENDIF 
 
-STDOPTIONS=$(PCRE2_INC) $(ARGON2_INC) $(SODIUM_INC) $(JANSSON_INC) $(CARES_INC) $(LIBCURL_INC) $(LIBRESSL_INC) \
+STDOPTIONS=$(PCRE2_INC) $(ARGON2_INC) $(SODIUM_INC) $(JANSSON_INC) $(CARES_INC) $(LIBCURL_INC) $(SSL_INC) \
  /J /I ./INCLUDE /nologo \
  $(CURLCFLAGS) /D FD_SETSIZE=16384 $(SSLCFLAGS) /D _CRT_SECURE_NO_DEPRECATE /D _CRT_NONSTDC_NO_DEPRECATE \
  /D FAKELAG_CONFIGURABLE=1 \
  /W3 /wd4267 /wd4101 /wd4018 /wd4244 /wd4996 /WX /analyze:ruleset extras\VStudioAnalyze.ruleset
 STDLIBS=$(CARES_LIB) $(CARESLIB) $(PCRE2_LIB) $(PCRE2LIB) $(ARGON2_LIB) $(ARGON2LIB) \
- $(SODIUM_LIB) $(SODIUMLIB) $(JANSSON_LIB) $(JANSSONLIB) $(LIBRESSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB)
+ $(SODIUM_LIB) $(SODIUMLIB) $(JANSSON_LIB) $(JANSSONLIB) $(SSL_LIB) $(SSLLIB) $(LIBCURL_LIB) $(CURLLIB)
 CFLAGS=$(DBGCFLAG) $(STDOPTIONS) /FS /MP1 /c /Fosrc/
 CFLAGSST=$(DBGCFLAGST) $(STDOPTIONS) /FS /MP1 /c /Fosrc/
 LFLAGS=kernel32.lib user32.lib gdi32.lib shell32.lib ws2_32.lib advapi32.lib \
diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md
index 0eb234103..fc37adc59 100644
--- a/doc/RELEASE-NOTES.md
+++ b/doc/RELEASE-NOTES.md
@@ -78,11 +78,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
     ["harvest now, decrypt later"](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
   * To benefit from this, OpenSSL 3.5.0 or later (released April 2025)
     is required on the server, and similarly a client that supports this.
-    At the time of writing, almost all Linux distros don't have such an
+    At the time of writing, almost no Linux distros have such an
     OpenSSL version yet (which is not a problem, this new feature will simply
-    not be available). Notably Debian 13 (when released in August
-    2025) will have it. LibreSSL does not support it either yet, so our
-    Windows build does not have this feature.
+    not be available). Notably Debian 13 has it, and our Windows build.
   * Also, change the TLS information on-connect and in WHOIS etc. from
     something like `TLSv1.3-TLS_CHACHA20_POLY1305_SHA256` to
     `TLSv1.3/X25519/TLS_CHACHA20_POLY1305_SHA256`. In other words: using
@@ -97,6 +95,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
   will work fine if you use `cloak_sha256`).
 
 ### Changes:
+* Windows: we now use OpenSSL instead of LibreSSL. This also means PQC
+  is available on Windows now (see Post-quantum cryptography above).
+
 * When a netsplit happens and
   [set::server-linking::autoconnect-strategy](https://www.unrealircd.org/docs/Set_block#set::server-linking)
   is `sequential` (which is the default) or `sequential-fallback`
@@ -154,6 +155,9 @@ and spamfilter:input-conversion now properly accepting `deconfused`.
   `PRIVMSG` and `SPAMINFO` for example.
 * New hook `HOOKTYPE_BANNED_CLIENT`
 * New hook `HOOKTYPE_CAN_USE_NICK`
+* On Windows the variables `LIBRESSL_INC_DIR` and `LIBRESSL_LIB_DIR`
+  are now `SSL_INC_DIR` and `SSL_LIB_DIR` because we no longer use
+  nor assume LibreSSL.
 
 UnrealIRCd 6.1.10
 ==================
diff --git a/extras/build-tests/windows/compilecmd/vs2019.bat b/extras/build-tests/windows/compilecmd/vs2019.bat
index c962020cf..cf26f59be 100644
--- a/extras/build-tests/windows/compilecmd/vs2019.bat
+++ b/extras/build-tests/windows/compilecmd/vs2019.bat
@@ -14,9 +14,9 @@ echo BUILDCOMMAND IS: %BUILDCOMMAND%
 echo BUILDARGS IS: %BUILDARGS%
 
 %BUILDCOMMAND% %BUILDARGS% -f makefile.windows ^
-LIBRESSL_INC_DIR="c:\projects\unrealircd-6-libs\libressl\include" ^
-LIBRESSL_LIB_DIR="c:\projects\unrealircd-6-libs\libressl\lib" ^
-SSLLIB="crypto.lib ssl.lib" ^
+SSL_INC_DIR="c:\projects\unrealircd-6-libs\openssl\include" ^
+SSL_LIB_DIR="c:\projects\unrealircd-6-libs\openssl\lib" ^
+SSLLIB="libcrypto.lib libssl.lib" ^
 USE_REMOTEINC=1 ^
 LIBCURL_INC_DIR="c:\projects\unrealircd-6-libs\curl\include" ^
 LIBCURL_LIB_DIR="c:\projects\unrealircd-6-libs\curl\builds\libcurl-vc-x64-release-dll-ssl-dll-cares-dll-ipv6-obj-lib" ^
diff --git a/src/windows/unrealinst.iss b/src/windows/unrealinst.iss
index 0a0a0bb4f..4c371300a 100755
--- a/src/windows/unrealinst.iss
+++ b/src/windows/unrealinst.iss
@@ -66,8 +66,8 @@ Source: "c:\dev\unrealircd-6-libs\argon2\vs2015\build\*.dll"; DestDir: "{app}\bi
 Source: "c:\dev\unrealircd-6-libs\libsodium\bin\x64\Release\v142\dynamic\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\jansson\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\c-ares\msvc\cares\dll-release\cares.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
-Source: "c:\dev\unrealircd-6-libs\libressl\bin\openssl.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
-Source: "c:\dev\unrealircd-6-libs\libressl\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
+Source: "c:\dev\unrealircd-6-libs\openssl\bin\openssl.exe"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
+Source: "c:\dev\unrealircd-6-libs\openssl\bin\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\GeoIP\libGeoIP\*.dll"; DestDir: "{app}\bin"; Flags: ignoreversion signonce
 Source: "c:\dev\unrealircd-6-libs\setacl.exe"; DestDir: "{app}\tmp"; Flags: ignoreversion signonce
 #ifdef USE_CURL