1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 11:13:13 +02:00

More ssl -> tls moves. Also recommend to use 'certfp' rather than

the longer 'sslcertfp' or 'tlscertfp', we already support this since
4.0 so... updated the documentation as well.
This commit is contained in:
Bram Matthys
2019-08-12 14:53:29 +02:00
parent 8ff6ad17ee
commit 7fa2b8be05
11 changed files with 121 additions and 113 deletions
+2 -2
View File
@@ -28,9 +28,9 @@ typedef struct {
#define AUTHTYPE_UNIXCRYPT 1
#define AUTHTYPE_MD5 2
#define AUTHTYPE_SHA1 3
#define AUTHTYPE_SSL_CLIENTCERT 4
#define AUTHTYPE_TLS_CLIENTCERT 4
#define AUTHTYPE_RIPEMD160 5
#define AUTHTYPE_SSL_CLIENTCERTFP 6
#define AUTHTYPE_TLS_CLIENTCERTFP 6
#define AUTHTYPE_BCRYPT 7
#define AUTHTYPE_SPKIFP 8
#define AUTHTYPE_ARGON2 9
+3 -4
View File
@@ -194,7 +194,7 @@ extern MODVAR int ipv6_disabled;
#define IDENT_CHECK iConf.ident_check
#define FAILOPER_WARN iConf.fail_oper_warn
#define SHOWCONNECTINFO iConf.show_connect_info
#define NOCONNECTSSLINFO iConf.no_connect_tls_info
#define NOCONNECTTLSLINFO iConf.no_connect_tls_info
#define OPER_ONLY_STATS iConf.oper_only_stats
#define ANTI_SPAM_QUIT_MSG_TIME iConf.anti_spam_quit_message_time
#ifdef HAVE_RAND_EGD
@@ -289,9 +289,8 @@ struct SetCheck {
unsigned has_dont_resolve:1;
unsigned has_mkpasswd_for_everyone:1;
unsigned has_allow_part_if_shunned:1;
unsigned has_ssl_egd:1;
unsigned has_ssl_server_cipher_list :1;
unsigned has_ssl_protocols :1;
unsigned has_tls_server_cipher_list :1;
unsigned has_tls_protocols :1;
unsigned has_dns_bind_ip:1;
unsigned has_link_bind_ip:1;
unsigned has_throttle_period:1;
+1 -1
View File
@@ -525,7 +525,7 @@ extern void stripcrlf(char *line);
extern time_t rfc2time(char *s);
extern char *rfctime(time_t t, char *buf);
extern void *MyMallocEx(size_t size);
extern MODFUNC char *ssl_get_cipher(SSL *ssl);
extern MODFUNC char *tls_get_cipher(SSL *ssl);
extern TLSOptions *get_tls_options_for_client(aClient *acptr);
extern int outdated_tls_client(aClient *acptr);
extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr);
+12 -10
View File
@@ -30,10 +30,12 @@ anAuthStruct MODVAR AuthTypes[] = {
{"crypt", AUTHTYPE_UNIXCRYPT},
{"unixcrypt", AUTHTYPE_UNIXCRYPT},
{"bcrypt", AUTHTYPE_BCRYPT},
{"sslclientcert", AUTHTYPE_SSL_CLIENTCERT},
{"cert", AUTHTYPE_SSL_CLIENTCERT},
{"sslclientcertfp", AUTHTYPE_SSL_CLIENTCERTFP},
{"certfp", AUTHTYPE_SSL_CLIENTCERTFP},
{"cert", AUTHTYPE_TLS_CLIENTCERT},
{"sslclientcert", AUTHTYPE_TLS_CLIENTCERT},
{"tlsclientcert", AUTHTYPE_TLS_CLIENTCERT},
{"certfp", AUTHTYPE_TLS_CLIENTCERTFP},
{"sslclientcertfp", AUTHTYPE_TLS_CLIENTCERTFP},
{"tlsclientcertfp", AUTHTYPE_TLS_CLIENTCERTFP},
{"spkifp", AUTHTYPE_SPKIFP},
{"argon2", AUTHTYPE_ARGON2},
{NULL, 0}
@@ -64,7 +66,7 @@ int Auth_AutoDetectHashType(char *hash)
if ((*p != ':') && !strchr(hexchars, *p))
return AUTHTYPE_PLAINTEXT; /* not hex and not colon */
return AUTHTYPE_SSL_CLIENTCERTFP;
return AUTHTYPE_TLS_CLIENTCERTFP;
}
if (strlen(hash) == 44)
@@ -182,11 +184,11 @@ int Auth_CheckError(ConfigEntry *ce)
return -1;
}
break;
case AUTHTYPE_SSL_CLIENTCERT:
case AUTHTYPE_TLS_CLIENTCERT:
convert_to_absolute_path(&ce->ce_vardata, CONFDIR);
if (!(x509_f = fopen(ce->ce_vardata, "r")))
{
config_error("%s:%i: authentication module failure: AUTHTYPE_SSL_CLIENTCERT: error opening file %s: %s",
config_error("%s:%i: authentication module failure: AUTHTYPE_TLS_CLIENTCERT: error opening file %s: %s",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum, ce->ce_vardata, strerror(errno));
return -1;
}
@@ -194,7 +196,7 @@ int Auth_CheckError(ConfigEntry *ce)
fclose(x509_f);
if (!x509_filecert)
{
config_error("%s:%i: authentication module failure: AUTHTYPE_SSL_CLIENTCERT: PEM_read_X509 errored in file %s (format error?)",
config_error("%s:%i: authentication module failure: AUTHTYPE_TLS_CLIENTCERT: PEM_read_X509 errored in file %s (format error?)",
ce->ce_fileptr->cf_filename, ce->ce_varlinenum, ce->ce_vardata);
return -1;
}
@@ -583,7 +585,7 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para)
case AUTHTYPE_RIPEMD160:
return authcheck_ripemd160(cptr, as, para);
case AUTHTYPE_SSL_CLIENTCERT:
case AUTHTYPE_TLS_CLIENTCERT:
{
X509 *x509_clientcert = NULL;
X509 *x509_filecert = NULL;
@@ -617,7 +619,7 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para)
return 2;
}
case AUTHTYPE_SSL_CLIENTCERTFP:
case AUTHTYPE_TLS_CLIENTCERTFP:
{
int i, k;
char hexcolon[EVP_MAX_MD_SIZE * 3 + 1];
+2 -2
View File
@@ -6533,8 +6533,8 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
} else {
anAuthStruct *auth = Auth_ConvertConf2AuthStruct(cep);
/* hm. would be nicer if handled @auth-system I think. ah well.. */
if ((auth->type != AUTHTYPE_PLAINTEXT) && (auth->type != AUTHTYPE_SSL_CLIENTCERT) &&
(auth->type != AUTHTYPE_SSL_CLIENTCERTFP) && (auth->type != AUTHTYPE_SPKIFP))
if ((auth->type != AUTHTYPE_PLAINTEXT) && (auth->type != AUTHTYPE_TLS_CLIENTCERT) &&
(auth->type != AUTHTYPE_TLS_CLIENTCERTFP) && (auth->type != AUTHTYPE_SPKIFP))
{
config_error("%s:%i: password in link block should be plaintext OR should be the "
"SSL or SPKI fingerprint of the remote link (=better)",
+2 -2
View File
@@ -125,8 +125,8 @@ int certificate_verification_active(aClient *acptr)
if (conf->verify_certificate)
return 1; /* yes, verify-certificate is 'yes' */
if ((conf->auth->type == AUTHTYPE_SSL_CLIENTCERT) ||
(conf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) ||
if ((conf->auth->type == AUTHTYPE_TLS_CLIENTCERT) ||
(conf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) ||
(conf->auth->type == AUTHTYPE_SPKIFP))
{
/* yes, verified by link::password being a
+1 -1
View File
@@ -1429,7 +1429,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha
if (sptr->local->ssl && !iConf.no_connect_tls_info)
{
sendnotice(sptr, "*** You are connected to %s with %s",
me.name, ssl_get_cipher(sptr->local->ssl));
me.name, tls_get_cipher(sptr->local->ssl));
}
}
+18 -18
View File
@@ -322,7 +322,7 @@ skip_host_check:
{
/* Let's help admins a bit with a good error message in case
* they mix different authentication systems (plaintext password
* vs an "TLS Auth type" like spkifp/sslclientcert/sslclientcertfp).
* vs an "TLS Auth type" like spkifp/tlsclientcert/tlsclientcertfp).
* The 'if' statement below is a bit complex but it consists of 2 things:
* 1. Check if our side expects a plaintext password but we did not receive one
* 2. Check if our side expects a non-plaintext password but we did receive one
@@ -339,14 +339,14 @@ skip_host_check:
sendto_ops_and_log("Link denied for '%s' (Authentication failed [spkifp mismatch]) %s",
servername, inpath);
} else
if (link->auth->type == AUTHTYPE_SSL_CLIENTCERT)
if (link->auth->type == AUTHTYPE_TLS_CLIENTCERT)
{
sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcert mismatch]) %s",
sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcert mismatch]) %s",
servername, inpath);
} else
if (link->auth->type == AUTHTYPE_SSL_CLIENTCERTFP)
if (link->auth->type == AUTHTYPE_TLS_CLIENTCERTFP)
{
sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcertfp mismatch]) %s",
sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcertfp mismatch]) %s",
servername, inpath);
} else
{
@@ -360,7 +360,7 @@ skip_host_check:
"Link denied (Authentication failed)");
}
/* Verify the SSL certificate (if requested) */
/* Verify the TLS certificate (if requested) */
if (link->verify_certificate)
{
char *errstr = NULL;
@@ -443,7 +443,7 @@ skip_host_check:
if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_DENY) && outdated_tls_client(cptr))
{
sendto_one(cptr, NULL, "ERROR :Server is using an outdated SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", ssl_get_cipher(cptr->local->ssl), cptr->name);
sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", tls_get_cipher(cptr->local->ssl), cptr->name);
return exit_client(cptr, sptr, &me, NULL, "Server using outdates SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
}
if (link_out)
@@ -791,15 +791,15 @@ void _introduce_user(aClient *to, aClient *acptr)
void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf)
{
char *spki_fp;
char *ssl_fp;
char *tls_fp;
char *errstr = NULL;
int verify_ok;
if (!MyConnect(acptr) || !acptr->local->ssl || !aconf)
return;
if ((aconf->auth->type == AUTHTYPE_SSL_CLIENTCERT) ||
(aconf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) ||
if ((aconf->auth->type == AUTHTYPE_TLS_CLIENTCERT) ||
(aconf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) ||
(aconf->auth->type == AUTHTYPE_SPKIFP))
{
/* Link verified by certificate or SPKI */
@@ -812,9 +812,9 @@ void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf)
return;
}
ssl_fp = moddata_client_get(acptr, "certfp");
tls_fp = moddata_client_get(acptr, "certfp");
spki_fp = spki_fingerprint(acptr);
if (!ssl_fp || !spki_fp)
if (!tls_fp || !spki_fp)
return; /* wtf ? */
/* Only bother the user if we are linking to UnrealIRCd 4.0.16+,
@@ -943,9 +943,9 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf)
{
sendto_server(&me, 0, 0, NULL, ":%s SMO o :(\2link\2) Secure link %s -> %s established (%s)",
me.name,
me.name, inpath, ssl_get_cipher(cptr->local->ssl));
me.name, inpath, tls_get_cipher(cptr->local->ssl));
sendto_realops("(\2link\2) Secure link %s -> %s established (%s)",
me.name, inpath, ssl_get_cipher(cptr->local->ssl));
me.name, inpath, tls_get_cipher(cptr->local->ssl));
tls_link_notification_verify(cptr, aconf);
}
else
@@ -955,19 +955,19 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf)
me.name, inpath);
sendto_realops("(\2link\2) Link %s -> %s established",
me.name, inpath);
/* Print out a warning if linking to a non-SSL server unless it's localhost.
* Yeah.. there are still other cases when non-SSL links are fine (eg: local IP
/* Print out a warning if linking to a non-TLS server unless it's localhost.
* Yeah.. there are still other cases when non-TLS links are fine (eg: local IP
* of the same machine), we won't bother with detecting that. -- Syzop
*/
if (!IsLocal(cptr) && (iConf.plaintext_policy_server == POLICY_WARN))
{
sendto_realops("\002WARNING:\002 This link is unencrypted (non-SSL). We highly recommend to use "
sendto_realops("\002WARNING:\002 This link is unencrypted (not SSL/TLS). We highly recommend to use "
"SSL/TLS for server linking. See https://www.unrealircd.org/docs/Linking_servers");
}
if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_WARN) && outdated_tls_client(cptr))
{
sendto_realops("\002WARNING:\002 This link is using an outdated SSL/TLS protocol or cipher (%s).",
ssl_get_cipher(cptr->local->ssl));
tls_get_cipher(cptr->local->ssl));
}
}
(void)add_to_client_hash_table(cptr->name, cptr);
+6 -6
View File
@@ -558,7 +558,7 @@ static char *stats_port_helper(ConfigItem_listen *listener)
ircsnprintf(buf, sizeof(buf), "%s%s%s%s",
(listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "",
(listener->options & LISTENER_SERVERSONLY)? "serversonly ": "",
(listener->options & LISTENER_TLS)? "ssl ": "",
(listener->options & LISTENER_TLS)? "tls ": "",
!(listener->options & LISTENER_TLS)? "plaintext ": "");
return buf;
}
@@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para)
sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON);
sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME));
sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`");
sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file));
sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "tls::certificate: %s", SafePrint(iConf.tls_options->certificate_file));
sendtxtnumeric(sptr, "tls::key: %s", SafePrint(iConf.tls_options->key_file));
sendtxtnumeric(sptr, "tls::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file));
sendtxtnumeric(sptr, "tls::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : "");
sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD);
sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES);
sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK);
sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN);
sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO);
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO);
sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTTLSLINFO);
sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE);
sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE);
sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS);
+73 -66
View File
@@ -157,72 +157,79 @@ CMD_FUNC(m_trace)
class = acptr->local->class ? acptr->local->class->name : "default";
switch (acptr->status)
{
case STAT_CONNECTING:
sendnumeric(sptr, RPL_TRACECONNECTING, class, name);
cnt++;
break;
case STAT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name);
cnt++;
break;
case STAT_ME:
break;
case STAT_UNKNOWN:
sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name);
cnt++;
break;
case STAT_CLIENT:
/* Only opers see users if there is a wildcard
* but anyone can see all the opers.
*/
if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) ||
(!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL)))
{
if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL))
sendnumeric(sptr, RPL_TRACEOPERATOR,
class, acptr->name,
GetHost(acptr),
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACEUSER,
class, acptr->name,
acptr->user->realhost,
now - acptr->local->lasttime);
cnt++;
}
break;
case STAT_SERVER:
if (acptr->serv->user)
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by,
acptr->serv->user->username,
acptr->serv->user->realhost,
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ?
acptr->serv->by : "*", "*", me.name,
now - acptr->local->lasttime);
cnt++;
break;
case STAT_LOG:
sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port);
cnt++;
break;
#ifdef USE_SSL
case STAT_TLS_CONNECT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name);
cnt++;
break;
case STAT_TLS_ACCEPT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name);
cnt++;
break;
#endif
default: /* ...we actually shouldn't come here... --msa */
sendnumeric(sptr, RPL_TRACENEWTYPE, "<newtype>", name);
cnt++;
break;
case STAT_CONNECTING:
sendnumeric(sptr, RPL_TRACECONNECTING, class, name);
cnt++;
break;
case STAT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name);
cnt++;
break;
case STAT_ME:
break;
case STAT_UNKNOWN:
sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name);
cnt++;
break;
case STAT_CLIENT:
/* Only opers see users if there is a wildcard
* but anyone can see all the opers.
*/
if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) ||
(!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL)))
{
if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL))
sendnumeric(sptr, RPL_TRACEOPERATOR,
class, acptr->name,
GetHost(acptr),
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACEUSER,
class, acptr->name,
acptr->user->realhost,
now - acptr->local->lasttime);
cnt++;
}
break;
case STAT_SERVER:
if (acptr->serv->user)
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by,
acptr->serv->user->username,
acptr->serv->user->realhost,
now - acptr->local->lasttime);
else
sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1,
acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ?
acptr->serv->by : "*", "*", me.name,
now - acptr->local->lasttime);
cnt++;
break;
case STAT_LOG:
sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port);
cnt++;
break;
case STAT_TLS_CONNECT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Connect-Handshake", name);
cnt++;
break;
case STAT_TLS_ACCEPT_HANDSHAKE:
sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Accept-Handshake", name);
cnt++;
break;
default: /* ...we actually shouldn't come here... --msa */
sendnumeric(sptr, RPL_TRACENEWTYPE, "<newtype>", name);
cnt++;
break;
}
}
/*
+1 -1
View File
@@ -595,7 +595,7 @@ void SSL_set_nonblocking(SSL *s)
BIO_set_nbio(SSL_get_wbio(s),1);
}
char *ssl_get_cipher(SSL *ssl)
char *tls_get_cipher(SSL *ssl)
{
static char buf[256];
int bits;