diff --git a/include/auth.h b/include/auth.h index 2e74afad5..2484d4f1c 100644 --- a/include/auth.h +++ b/include/auth.h @@ -28,9 +28,9 @@ typedef struct { #define AUTHTYPE_UNIXCRYPT 1 #define AUTHTYPE_MD5 2 #define AUTHTYPE_SHA1 3 -#define AUTHTYPE_SSL_CLIENTCERT 4 +#define AUTHTYPE_TLS_CLIENTCERT 4 #define AUTHTYPE_RIPEMD160 5 -#define AUTHTYPE_SSL_CLIENTCERTFP 6 +#define AUTHTYPE_TLS_CLIENTCERTFP 6 #define AUTHTYPE_BCRYPT 7 #define AUTHTYPE_SPKIFP 8 #define AUTHTYPE_ARGON2 9 diff --git a/include/dynconf.h b/include/dynconf.h index b118d2dc1..4e5bfbc8f 100644 --- a/include/dynconf.h +++ b/include/dynconf.h @@ -194,7 +194,7 @@ extern MODVAR int ipv6_disabled; #define IDENT_CHECK iConf.ident_check #define FAILOPER_WARN iConf.fail_oper_warn #define SHOWCONNECTINFO iConf.show_connect_info -#define NOCONNECTSSLINFO iConf.no_connect_tls_info +#define NOCONNECTTLSLINFO iConf.no_connect_tls_info #define OPER_ONLY_STATS iConf.oper_only_stats #define ANTI_SPAM_QUIT_MSG_TIME iConf.anti_spam_quit_message_time #ifdef HAVE_RAND_EGD @@ -289,9 +289,8 @@ struct SetCheck { unsigned has_dont_resolve:1; unsigned has_mkpasswd_for_everyone:1; unsigned has_allow_part_if_shunned:1; - unsigned has_ssl_egd:1; - unsigned has_ssl_server_cipher_list :1; - unsigned has_ssl_protocols :1; + unsigned has_tls_server_cipher_list :1; + unsigned has_tls_protocols :1; unsigned has_dns_bind_ip:1; unsigned has_link_bind_ip:1; unsigned has_throttle_period:1; diff --git a/include/h.h b/include/h.h index 2f8a5e6b0..c3cef3dad 100644 --- a/include/h.h +++ b/include/h.h @@ -525,7 +525,7 @@ extern void stripcrlf(char *line); extern time_t rfc2time(char *s); extern char *rfctime(time_t t, char *buf); extern void *MyMallocEx(size_t size); -extern MODFUNC char *ssl_get_cipher(SSL *ssl); +extern MODFUNC char *tls_get_cipher(SSL *ssl); extern TLSOptions *get_tls_options_for_client(aClient *acptr); extern int outdated_tls_client(aClient *acptr); extern char *outdated_tls_client_build_string(char *pattern, aClient *acptr); diff --git a/src/auth.c b/src/auth.c index a925e1d4a..dc1c2debb 100644 --- a/src/auth.c +++ b/src/auth.c @@ -30,10 +30,12 @@ anAuthStruct MODVAR AuthTypes[] = { {"crypt", AUTHTYPE_UNIXCRYPT}, {"unixcrypt", AUTHTYPE_UNIXCRYPT}, {"bcrypt", AUTHTYPE_BCRYPT}, - {"sslclientcert", AUTHTYPE_SSL_CLIENTCERT}, - {"cert", AUTHTYPE_SSL_CLIENTCERT}, - {"sslclientcertfp", AUTHTYPE_SSL_CLIENTCERTFP}, - {"certfp", AUTHTYPE_SSL_CLIENTCERTFP}, + {"cert", AUTHTYPE_TLS_CLIENTCERT}, + {"sslclientcert", AUTHTYPE_TLS_CLIENTCERT}, + {"tlsclientcert", AUTHTYPE_TLS_CLIENTCERT}, + {"certfp", AUTHTYPE_TLS_CLIENTCERTFP}, + {"sslclientcertfp", AUTHTYPE_TLS_CLIENTCERTFP}, + {"tlsclientcertfp", AUTHTYPE_TLS_CLIENTCERTFP}, {"spkifp", AUTHTYPE_SPKIFP}, {"argon2", AUTHTYPE_ARGON2}, {NULL, 0} @@ -64,7 +66,7 @@ int Auth_AutoDetectHashType(char *hash) if ((*p != ':') && !strchr(hexchars, *p)) return AUTHTYPE_PLAINTEXT; /* not hex and not colon */ - return AUTHTYPE_SSL_CLIENTCERTFP; + return AUTHTYPE_TLS_CLIENTCERTFP; } if (strlen(hash) == 44) @@ -182,11 +184,11 @@ int Auth_CheckError(ConfigEntry *ce) return -1; } break; - case AUTHTYPE_SSL_CLIENTCERT: + case AUTHTYPE_TLS_CLIENTCERT: convert_to_absolute_path(&ce->ce_vardata, CONFDIR); if (!(x509_f = fopen(ce->ce_vardata, "r"))) { - config_error("%s:%i: authentication module failure: AUTHTYPE_SSL_CLIENTCERT: error opening file %s: %s", + config_error("%s:%i: authentication module failure: AUTHTYPE_TLS_CLIENTCERT: error opening file %s: %s", ce->ce_fileptr->cf_filename, ce->ce_varlinenum, ce->ce_vardata, strerror(errno)); return -1; } @@ -194,7 +196,7 @@ int Auth_CheckError(ConfigEntry *ce) fclose(x509_f); if (!x509_filecert) { - config_error("%s:%i: authentication module failure: AUTHTYPE_SSL_CLIENTCERT: PEM_read_X509 errored in file %s (format error?)", + config_error("%s:%i: authentication module failure: AUTHTYPE_TLS_CLIENTCERT: PEM_read_X509 errored in file %s (format error?)", ce->ce_fileptr->cf_filename, ce->ce_varlinenum, ce->ce_vardata); return -1; } @@ -583,7 +585,7 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) case AUTHTYPE_RIPEMD160: return authcheck_ripemd160(cptr, as, para); - case AUTHTYPE_SSL_CLIENTCERT: + case AUTHTYPE_TLS_CLIENTCERT: { X509 *x509_clientcert = NULL; X509 *x509_filecert = NULL; @@ -617,7 +619,7 @@ int Auth_Check(aClient *cptr, anAuthStruct *as, char *para) return 2; } - case AUTHTYPE_SSL_CLIENTCERTFP: + case AUTHTYPE_TLS_CLIENTCERTFP: { int i, k; char hexcolon[EVP_MAX_MD_SIZE * 3 + 1]; diff --git a/src/conf.c b/src/conf.c index 75675d706..3ae428917 100644 --- a/src/conf.c +++ b/src/conf.c @@ -6533,8 +6533,8 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce) } else { anAuthStruct *auth = Auth_ConvertConf2AuthStruct(cep); /* hm. would be nicer if handled @auth-system I think. ah well.. */ - if ((auth->type != AUTHTYPE_PLAINTEXT) && (auth->type != AUTHTYPE_SSL_CLIENTCERT) && - (auth->type != AUTHTYPE_SSL_CLIENTCERTFP) && (auth->type != AUTHTYPE_SPKIFP)) + if ((auth->type != AUTHTYPE_PLAINTEXT) && (auth->type != AUTHTYPE_TLS_CLIENTCERT) && + (auth->type != AUTHTYPE_TLS_CLIENTCERTFP) && (auth->type != AUTHTYPE_SPKIFP)) { config_error("%s:%i: password in link block should be plaintext OR should be the " "SSL or SPKI fingerprint of the remote link (=better)", diff --git a/src/modules/link-security.c b/src/modules/link-security.c index 0d73bb2cf..3a06ae2ea 100644 --- a/src/modules/link-security.c +++ b/src/modules/link-security.c @@ -125,8 +125,8 @@ int certificate_verification_active(aClient *acptr) if (conf->verify_certificate) return 1; /* yes, verify-certificate is 'yes' */ - if ((conf->auth->type == AUTHTYPE_SSL_CLIENTCERT) || - (conf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) || + if ((conf->auth->type == AUTHTYPE_TLS_CLIENTCERT) || + (conf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) || (conf->auth->type == AUTHTYPE_SPKIFP)) { /* yes, verified by link::password being a diff --git a/src/modules/nick.c b/src/modules/nick.c index 2b74f840f..56c1493e8 100644 --- a/src/modules/nick.c +++ b/src/modules/nick.c @@ -1429,7 +1429,7 @@ int _register_user(aClient *cptr, aClient *sptr, char *nick, char *username, cha if (sptr->local->ssl && !iConf.no_connect_tls_info) { sendnotice(sptr, "*** You are connected to %s with %s", - me.name, ssl_get_cipher(sptr->local->ssl)); + me.name, tls_get_cipher(sptr->local->ssl)); } } diff --git a/src/modules/server.c b/src/modules/server.c index 69545cf24..5a04794c7 100644 --- a/src/modules/server.c +++ b/src/modules/server.c @@ -322,7 +322,7 @@ skip_host_check: { /* Let's help admins a bit with a good error message in case * they mix different authentication systems (plaintext password - * vs an "TLS Auth type" like spkifp/sslclientcert/sslclientcertfp). + * vs an "TLS Auth type" like spkifp/tlsclientcert/tlsclientcertfp). * The 'if' statement below is a bit complex but it consists of 2 things: * 1. Check if our side expects a plaintext password but we did not receive one * 2. Check if our side expects a non-plaintext password but we did receive one @@ -339,14 +339,14 @@ skip_host_check: sendto_ops_and_log("Link denied for '%s' (Authentication failed [spkifp mismatch]) %s", servername, inpath); } else - if (link->auth->type == AUTHTYPE_SSL_CLIENTCERT) + if (link->auth->type == AUTHTYPE_TLS_CLIENTCERT) { - sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcert mismatch]) %s", + sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcert mismatch]) %s", servername, inpath); } else - if (link->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) + if (link->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) { - sendto_ops_and_log("Link denied for '%s' (Authentication failed [sslclientcertfp mismatch]) %s", + sendto_ops_and_log("Link denied for '%s' (Authentication failed [tlsclientcertfp mismatch]) %s", servername, inpath); } else { @@ -360,7 +360,7 @@ skip_host_check: "Link denied (Authentication failed)"); } - /* Verify the SSL certificate (if requested) */ + /* Verify the TLS certificate (if requested) */ if (link->verify_certificate) { char *errstr = NULL; @@ -443,7 +443,7 @@ skip_host_check: if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_DENY) && outdated_tls_client(cptr)) { sendto_one(cptr, NULL, "ERROR :Server is using an outdated SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')"); - sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", ssl_get_cipher(cptr->local->ssl), cptr->name); + sendto_ops_and_log("Rejected server %s using outdated %s. See https://www.unrealircd.org/docs/FAQ#server-outdated-tls", tls_get_cipher(cptr->local->ssl), cptr->name); return exit_client(cptr, sptr, &me, NULL, "Server using outdates SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')"); } if (link_out) @@ -791,15 +791,15 @@ void _introduce_user(aClient *to, aClient *acptr) void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf) { char *spki_fp; - char *ssl_fp; + char *tls_fp; char *errstr = NULL; int verify_ok; if (!MyConnect(acptr) || !acptr->local->ssl || !aconf) return; - if ((aconf->auth->type == AUTHTYPE_SSL_CLIENTCERT) || - (aconf->auth->type == AUTHTYPE_SSL_CLIENTCERTFP) || + if ((aconf->auth->type == AUTHTYPE_TLS_CLIENTCERT) || + (aconf->auth->type == AUTHTYPE_TLS_CLIENTCERTFP) || (aconf->auth->type == AUTHTYPE_SPKIFP)) { /* Link verified by certificate or SPKI */ @@ -812,9 +812,9 @@ void tls_link_notification_verify(aClient *acptr, ConfigItem_link *aconf) return; } - ssl_fp = moddata_client_get(acptr, "certfp"); + tls_fp = moddata_client_get(acptr, "certfp"); spki_fp = spki_fingerprint(acptr); - if (!ssl_fp || !spki_fp) + if (!tls_fp || !spki_fp) return; /* wtf ? */ /* Only bother the user if we are linking to UnrealIRCd 4.0.16+, @@ -943,9 +943,9 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf) { sendto_server(&me, 0, 0, NULL, ":%s SMO o :(\2link\2) Secure link %s -> %s established (%s)", me.name, - me.name, inpath, ssl_get_cipher(cptr->local->ssl)); + me.name, inpath, tls_get_cipher(cptr->local->ssl)); sendto_realops("(\2link\2) Secure link %s -> %s established (%s)", - me.name, inpath, ssl_get_cipher(cptr->local->ssl)); + me.name, inpath, tls_get_cipher(cptr->local->ssl)); tls_link_notification_verify(cptr, aconf); } else @@ -955,19 +955,19 @@ int m_server_synch(aClient *cptr, ConfigItem_link *aconf) me.name, inpath); sendto_realops("(\2link\2) Link %s -> %s established", me.name, inpath); - /* Print out a warning if linking to a non-SSL server unless it's localhost. - * Yeah.. there are still other cases when non-SSL links are fine (eg: local IP + /* Print out a warning if linking to a non-TLS server unless it's localhost. + * Yeah.. there are still other cases when non-TLS links are fine (eg: local IP * of the same machine), we won't bother with detecting that. -- Syzop */ if (!IsLocal(cptr) && (iConf.plaintext_policy_server == POLICY_WARN)) { - sendto_realops("\002WARNING:\002 This link is unencrypted (non-SSL). We highly recommend to use " + sendto_realops("\002WARNING:\002 This link is unencrypted (not SSL/TLS). We highly recommend to use " "SSL/TLS for server linking. See https://www.unrealircd.org/docs/Linking_servers"); } if (IsSecure(cptr) && (iConf.outdated_tls_policy_server == POLICY_WARN) && outdated_tls_client(cptr)) { sendto_realops("\002WARNING:\002 This link is using an outdated SSL/TLS protocol or cipher (%s).", - ssl_get_cipher(cptr->local->ssl)); + tls_get_cipher(cptr->local->ssl)); } } (void)add_to_client_hash_table(cptr->name, cptr); diff --git a/src/modules/stats.c b/src/modules/stats.c index 468c6c74c..aedf72ff1 100644 --- a/src/modules/stats.c +++ b/src/modules/stats.c @@ -558,7 +558,7 @@ static char *stats_port_helper(ConfigItem_listen *listener) ircsnprintf(buf, sizeof(buf), "%s%s%s%s", (listener->options & LISTENER_CLIENTSONLY)? "clientsonly ": "", (listener->options & LISTENER_SERVERSONLY)? "serversonly ": "", - (listener->options & LISTENER_TLS)? "ssl ": "", + (listener->options & LISTENER_TLS)? "tls ": "", !(listener->options & LISTENER_TLS)? "plaintext ": ""); return buf; } @@ -1109,16 +1109,16 @@ int stats_set(aClient *sptr, char *para) sendtxtnumeric(sptr, "hide-ban-reason: %d", HIDE_BAN_REASON); sendtxtnumeric(sptr, "anti-spam-quit-message-time: %s", pretty_time_val(ANTI_SPAM_QUIT_MSG_TIME)); sendtxtnumeric(sptr, "channel-command-prefix: %s", CHANCMDPFX ? CHANCMDPFX : "`"); - sendtxtnumeric(sptr, "ssl::certificate: %s", SafePrint(iConf.tls_options->certificate_file)); - sendtxtnumeric(sptr, "ssl::key: %s", SafePrint(iConf.tls_options->key_file)); - sendtxtnumeric(sptr, "ssl::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file)); - sendtxtnumeric(sptr, "ssl::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : ""); + sendtxtnumeric(sptr, "tls::certificate: %s", SafePrint(iConf.tls_options->certificate_file)); + sendtxtnumeric(sptr, "tls::key: %s", SafePrint(iConf.tls_options->key_file)); + sendtxtnumeric(sptr, "tls::trusted-ca-file: %s", SafePrint(iConf.tls_options->trusted_ca_file)); + sendtxtnumeric(sptr, "tls::options: %s", iConf.tls_options->options & TLSFLAG_FAILIFNOCERT ? "FAILIFNOCERT" : ""); sendtxtnumeric(sptr, "options::show-opermotd: %d", SHOWOPERMOTD); sendtxtnumeric(sptr, "options::hide-ulines: %d", HIDE_ULINES); sendtxtnumeric(sptr, "options::identd-check: %d", IDENT_CHECK); sendtxtnumeric(sptr, "options::fail-oper-warn: %d", FAILOPER_WARN); sendtxtnumeric(sptr, "options::show-connect-info: %d", SHOWCONNECTINFO); - sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTSSLINFO); + sendtxtnumeric(sptr, "options::no-connect-tls-info: %d", NOCONNECTTLSLINFO); sendtxtnumeric(sptr, "options::dont-resolve: %d", DONT_RESOLVE); sendtxtnumeric(sptr, "options::mkpasswd-for-everyone: %d", MKPASSWD_FOR_EVERYONE); sendtxtnumeric(sptr, "options::allow-insane-bans: %d", ALLOW_INSANE_BANS); diff --git a/src/modules/trace.c b/src/modules/trace.c index b1035b875..51e91e031 100644 --- a/src/modules/trace.c +++ b/src/modules/trace.c @@ -157,72 +157,79 @@ CMD_FUNC(m_trace) class = acptr->local->class ? acptr->local->class->name : "default"; switch (acptr->status) { - case STAT_CONNECTING: - sendnumeric(sptr, RPL_TRACECONNECTING, class, name); - cnt++; - break; - case STAT_HANDSHAKE: - sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name); - cnt++; - break; - case STAT_ME: - break; - case STAT_UNKNOWN: - sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name); - cnt++; - break; - case STAT_CLIENT: - /* Only opers see users if there is a wildcard - * but anyone can see all the opers. - */ - if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) || - (!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL))) - { - if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL)) - sendnumeric(sptr, RPL_TRACEOPERATOR, - class, acptr->name, - GetHost(acptr), - now - acptr->local->lasttime); - else - sendnumeric(sptr, RPL_TRACEUSER, - class, acptr->name, - acptr->user->realhost, - now - acptr->local->lasttime); - cnt++; - } - break; - case STAT_SERVER: - if (acptr->serv->user) - sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1, - acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by, - acptr->serv->user->username, - acptr->serv->user->realhost, - now - acptr->local->lasttime); - else - sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1, - acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ? - acptr->serv->by : "*", "*", me.name, - now - acptr->local->lasttime); - cnt++; - break; - case STAT_LOG: - sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port); - cnt++; - break; -#ifdef USE_SSL - case STAT_TLS_CONNECT_HANDSHAKE: - sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Connect-Handshake", name); - cnt++; - break; - case STAT_TLS_ACCEPT_HANDSHAKE: - sendnumeric(sptr, RPL_TRACENEWTYPE, "SSL-Accept-Handshake", name); - cnt++; - break; -#endif - default: /* ...we actually shouldn't come here... --msa */ - sendnumeric(sptr, RPL_TRACENEWTYPE, "", name); - cnt++; - break; + case STAT_CONNECTING: + sendnumeric(sptr, RPL_TRACECONNECTING, class, name); + cnt++; + break; + + case STAT_HANDSHAKE: + sendnumeric(sptr, RPL_TRACEHANDSHAKE, class, name); + cnt++; + break; + + case STAT_ME: + break; + + case STAT_UNKNOWN: + sendnumeric(sptr, RPL_TRACEUNKNOWN, class, name); + cnt++; + break; + + case STAT_CLIENT: + /* Only opers see users if there is a wildcard + * but anyone can see all the opers. + */ + if (ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL) || + (!IsInvisible(acptr) && ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL))) + { + if (ValidatePermissionsForPath("client:see:trace",sptr,acptr,NULL,NULL) || ValidatePermissionsForPath("client:see:trace:invisible-users",sptr,acptr,NULL,NULL)) + sendnumeric(sptr, RPL_TRACEOPERATOR, + class, acptr->name, + GetHost(acptr), + now - acptr->local->lasttime); + else + sendnumeric(sptr, RPL_TRACEUSER, + class, acptr->name, + acptr->user->realhost, + now - acptr->local->lasttime); + cnt++; + } + break; + + case STAT_SERVER: + if (acptr->serv->user) + sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1, + acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, acptr->serv->by, + acptr->serv->user->username, + acptr->serv->user->realhost, + now - acptr->local->lasttime); + else + sendnumeric(sptr, RPL_TRACESERVER, class, acptr->fd >= 0 ? link_s[acptr->fd] : -1, + acptr->fd >= 0 ? link_u[acptr->fd] : -1, name, *(acptr->serv->by) ? + acptr->serv->by : "*", "*", me.name, + now - acptr->local->lasttime); + cnt++; + break; + + case STAT_LOG: + sendnumeric(sptr, RPL_TRACELOG, LOGFILE, acptr->local->port); + cnt++; + break; + + case STAT_TLS_CONNECT_HANDSHAKE: + sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Connect-Handshake", name); + cnt++; + break; + + case STAT_TLS_ACCEPT_HANDSHAKE: + sendnumeric(sptr, RPL_TRACENEWTYPE, "TLS-Accept-Handshake", name); + cnt++; + break; + + default: /* ...we actually shouldn't come here... --msa */ + sendnumeric(sptr, RPL_TRACENEWTYPE, "", name); + cnt++; + break; } } /* diff --git a/src/tls.c b/src/tls.c index 54e2be641..75f8fc7b4 100644 --- a/src/tls.c +++ b/src/tls.c @@ -595,7 +595,7 @@ void SSL_set_nonblocking(SSL *s) BIO_set_nbio(SSL_get_wbio(s),1); } -char *ssl_get_cipher(SSL *ssl) +char *tls_get_cipher(SSL *ssl) { static char buf[256]; int bits;