From 9f18118f769d961c2dd6104f5f366bddeec70d77 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 25 Mar 2018 13:22:19 +0200 Subject: [PATCH] Fix './unrealircd reloadtls' not reloading certificates/keys if listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options are used. In short: it only reloaded the ones from set::ssl until now. Bug reported by Mr_Smoke (#5072) --- include/h.h | 1 + src/ssl.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 1 deletion(-) diff --git a/include/h.h b/include/h.h index 2953997a8..a7db26a30 100644 --- a/include/h.h +++ b/include/h.h @@ -68,6 +68,7 @@ extern MODVAR ConfigItem_allow *conf_allow; extern MODVAR ConfigItem_except *conf_except; extern MODVAR ConfigItem_vhost *conf_vhost; extern MODVAR ConfigItem_link *conf_link; +extern MODVAR ConfigItem_sni *conf_sni; extern MODVAR ConfigItem_ban *conf_ban; extern MODVAR ConfigItem_deny_dcc *conf_deny_dcc; extern MODVAR ConfigItem_deny_channel *conf_deny_channel; diff --git a/src/ssl.c b/src/ssl.c index cd9988f89..e9acc9ac4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -427,7 +427,10 @@ int init_ssl(void) void reinit_ssl(aClient *acptr) { -SSL_CTX *tmp; + SSL_CTX *tmp; + ConfigItem_listen *listen; + ConfigItem_sni *sni; + ConfigItem_link *link; if (!acptr) mylog("Reloading all SSL related data (./unrealircd reloadtls)"); @@ -461,6 +464,64 @@ SSL_CTX *tmp; SSL_CTX_free(tmp); SSL_CTX_free(ctx_client); ctx_client = init_ctx(iConf.ssl_options, 0); + + /* listen::ssl-options.... */ + for (listen = conf_listen; listen; listen = listen->next) + { + if (listen->ssl_options) + { + tmp = init_ctx(listen->ssl_options, 1); + if (!tmp) + { + config_error("SSL Reload partially failed. listen::ssl-options error, see above"); + config_report_ssl_error(); + return; + } + /* free and do it for real */ + SSL_CTX_free(tmp); + SSL_CTX_free(listen->ssl_ctx); + listen->ssl_ctx = init_ctx(listen->ssl_options, 1); + } + } + + /* sni::ssl-options.... */ + for (sni = conf_sni; sni; sni = sni->next) + { + if (sni->ssl_options) + { + tmp = init_ctx(sni->ssl_options, 1); + if (!tmp) + { + config_error("SSL Reload partially failed. sni::ssl-options error, see above"); + config_report_ssl_error(); + return; + } + /* free and do it for real */ + SSL_CTX_free(tmp); + SSL_CTX_free(sni->ssl_ctx); + sni->ssl_ctx = init_ctx(sni->ssl_options, 1); + } + } + + /* link::outgoing::ssl-options.... */ + for (link = conf_link; link; link = link->next) + { + if (link->ssl_options) + { + tmp = init_ctx(link->ssl_options, 1); + if (!tmp) + { + config_error("SSL Reload partially failed. link::outgoing::ssl-options error in link %s { }, see above", + link->servername); + config_report_ssl_error(); + return; + } + /* free and do it for real */ + SSL_CTX_free(tmp); + SSL_CTX_free(link->ssl_ctx); + link->ssl_ctx = init_ctx(link->ssl_options, 1); + } + } } #define CHK_NULL(x) if ((x)==NULL) {\