Browse Source

Massive renames of SSL/TLS and SSL to TLS. People should know the term by now :D

pull/12/head
Bram Matthys 1 year ago
parent
commit
532a9becda
No known key found for this signature in database
GPG Key ID: BF8116B163EAAE98
  1. 4
      include/config.h
  2. 16
      include/h.h
  3. 14
      include/struct.h
  4. 4
      src/auth.c
  5. 22
      src/conf.c
  6. 4
      src/crashreport.c
  7. 3
      src/debug.c
  8. 8
      src/ircd.c
  9. 4
      src/modulemanager.c
  10. 2
      src/modules/certfp.c
  11. 8
      src/modules/chanmodes/issecure.c
  12. 10
      src/modules/chanmodes/link.c
  13. 2
      src/modules/chanmodes/secureonly.c
  14. 2
      src/modules/invite.c
  15. 10
      src/modules/jumpserver.c
  16. 10
      src/modules/link-security.c
  17. 12
      src/modules/server.c
  18. 4
      src/modules/starttls.c
  19. 2
      src/modules/sts.c
  20. 2
      src/modules/tkl.c
  21. 6
      src/modules/tls_antidos.c
  22. 8
      src/modules/usermodes/secureonlymsg.c
  23. 8
      src/serv.c
  24. 18
      src/socket.c
  25. 164
      src/tls.c
  26. 6
      src/url.c
  27. 2
      src/user.c
  28. 6
      src/windows/unrealinst.iss
  29. 6
      src/windows/wingui.rc

4
include/config.h

@ -251,7 +251,7 @@
*/
#undef EXPERIMENTAL
/* Default SSL/TLS cipherlist (except for TLS1.3, see further down).
/* Default TLS cipherlist (except for TLS1.3, see further down).
* This can be changed via set::ssl::options::ciphers in the config file.
*/
#define UNREALIRCD_DEFAULT_CIPHERS "TLS13-CHACHA20-POLY1305-SHA256 TLS13-AES-256-GCM-SHA384 TLS13-AES-128-GCM-SHA256 EECDH+CHACHA20 EECDH+AESGCM EECDH+AES AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA"
@ -261,7 +261,7 @@
*/
#define UNREALIRCD_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256"
/* Default SSL/TLS curves for ECDH(E)
/* Default TLS curves for ECDH(E)
* This can be changed via set::ssl::options::ecdh-curve in the config file.
* NOTE: This requires openssl 1.0.2 or newer, otherwise these defaults
* are not applied, due to the missing openssl API call.

16
include/h.h

@ -779,15 +779,15 @@ extern MODVAR char *(*tkl_uhost)(TKL *tkl, char *buf, size_t buflen, int options
extern MODVAR void (*do_unreal_log_remote_deliver)(LogLevel loglevel, char *subsystem, char *event_id, MultiLine *msg, char *json_serialized);
/* /Efuncs */
/* SSL/TLS functions */
extern int early_init_ssl();
extern int init_ssl();
/* TLS functions */
extern int early_init_tls();
extern int init_tls();
extern int ssl_handshake(Client *); /* Handshake the accpeted con.*/
extern int ssl_client_handshake(Client *, ConfigItem_link *); /* and the initiated con.*/
extern int ircd_SSL_accept(Client *acptr, int fd);
extern int ircd_SSL_connect(Client *acptr, int fd);
extern int unreal_tls_accept(Client *acptr, int fd);
extern int unreal_tls_connect(Client *acptr, int fd);
extern int SSL_smart_shutdown(SSL *ssl);
extern void ircd_SSL_client_handshake(int, int, void *);
extern void unreal_tls_client_handshake(int, int, void *);
extern void SSL_set_nonblocking(SSL *s);
extern SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server);
extern MODFUNC char *tls_get_cipher(SSL *ssl);
@ -799,7 +799,7 @@ extern EVENT(tls_check_expiry);
extern MODVAR EVP_MD *sha256_function;
extern MODVAR EVP_MD *sha1_function;
extern MODVAR EVP_MD *md5_function;
/* End of SSL/TLS functions */
/* End of TLS functions */
extern void parse_message_tags_default_handler(Client *client, char **str, MessageTag **mtag_list);
extern char *mtags_to_string_default_handler(MessageTag *m, Client *client);
@ -927,7 +927,7 @@ extern int get_terminal_width(void);
extern int has_common_channels(Client *c1, Client *c2);
extern int user_can_see_member(Client *user, Client *target, Channel *channel);
extern int invisible_user_in_channel(Client *target, Channel *channel);
extern MODVAR int ssl_client_index;
extern MODVAR int tls_client_index;
extern TLSOptions *FindTLSOptionsForUser(Client *acptr);
extern int IsWebsocket(Client *acptr);
extern Policy policy_strtoval(char *s);

14
include/struct.h

@ -317,7 +317,7 @@ typedef enum LogDestination { LOG_DEST_SNOMASK=0, LOG_DEST_OPER=1, LOG_DEST_REMO
/** This specifies the current client status or the client type - see @link ClientStatus @endlink in particular.
* You may think "server" or "client" are the only choices here, but there are many more
* such as states where the user is in the middle of an SSL/TLS handshake.
* such as states where the user is in the middle of an TLS handshake.
* @defgroup ClientStatuses Client statuses / types
* @{
*/
@ -325,8 +325,8 @@ typedef enum ClientStatus {
CLIENT_STATUS_LOG = -7, /**< Client is a log file */
CLIENT_STATUS_TLS_STARTTLS_HANDSHAKE = -8, /**< Client is doing a STARTTLS handshake */
CLIENT_STATUS_CONNECTING = -6, /**< Client is an outgoing connect */
CLIENT_STATUS_TLS_CONNECT_HANDSHAKE = -5, /**< Client is doing an SSL/TLS handshake - outgoing connection */
CLIENT_STATUS_TLS_ACCEPT_HANDSHAKE = -4, /**< Client is doing an SSL/TLS handshake - incoming connection */
CLIENT_STATUS_TLS_CONNECT_HANDSHAKE = -5, /**< Client is doing an TLS handshake - outgoing connection */
CLIENT_STATUS_TLS_ACCEPT_HANDSHAKE = -4, /**< Client is doing an TLS handshake - incoming connection */
CLIENT_STATUS_HANDSHAKE = -3, /**< Client is doing a server handshake - outgoing connection */
CLIENT_STATUS_ME = -2, /**< Client is &me (this server) */
CLIENT_STATUS_UNKNOWN = -1, /**< Client is doing a hanshake. May become a server or user later, we don't know yet */
@ -391,7 +391,7 @@ typedef enum ClientStatus {
#define CLIENT_FLAG_DCCNOTICE 0x00200000 /**< Has the user seen a notice on how to use DCCALLOW already? */
#define CLIENT_FLAG_SHUNNED 0x00400000 /**< Connection is shunned (user cannot execute any commands) */
#define CLIENT_FLAG_VIRUS 0x00800000 /**< Tagged by spamfilter as a virus */
#define CLIENT_FLAG_TLS 0x01000000 /**< Connection is using SSL/TLS */
#define CLIENT_FLAG_TLS 0x01000000 /**< Connection is using TLS */
#define CLIENT_FLAG_NOFAKELAG 0x02000000 /**< Exemption from fake lag */
#define CLIENT_FLAG_DCCBLOCK 0x04000000 /**< Block all DCC send requests */
#define CLIENT_FLAG_MAP 0x08000000 /**< Show this entry in /MAP (only used in map module) */
@ -1341,7 +1341,7 @@ struct Client {
*/
struct LocalClient {
int fd; /**< File descriptor, can be <0 if socket has been closed already. */
SSL *ssl; /**< OpenSSL/LibreSSL struct for SSL/TLS connection */
SSL *ssl; /**< OpenSSL/LibreSSL struct for TLS connection */
time_t since; /**< Time when user will next be allowed to send something (actually since<currenttime+10) */
int since_msec; /**< Used for calculating 'since' penalty (modulo) */
time_t firsttime; /**< Time user was created (connected on IRC) */
@ -1373,7 +1373,7 @@ struct LocalClient {
unsigned char sasl_out; /**< SASL: Number of outgoing sasl messages */
unsigned char sasl_complete; /**< SASL: >0 if SASL authentication was successful */
time_t sasl_sent_time; /**< SASL: 0 or the time that the (last) AUTHENTICATE command has been sent */
char *sni_servername; /**< Servername as sent by client via SNI (Server Name Indication) in SSL/TLS, otherwise NULL */
char *sni_servername; /**< Servername as sent by client via SNI (Server Name Indication) in TLS, otherwise NULL */
int cap_protocol; /**< CAP protocol in use. At least 300 for any CAP capable client. 302 for 3.2, etc.. */
uint32_t nospoof; /**< Anti-spoofing random number (used in user handshake PING/PONG) */
char *passwd; /**< Password used during connect, if any (freed once connected and set to NULL) */
@ -1678,7 +1678,7 @@ struct ConfigItem_oper {
int maxlogins;
};
/** The SSL/TLS options that are used in set::tls and otherblocks::tls-options.
/** The TLS options that are used in set::tls and otherblocks::tls-options.
* NOTE: If you add something here then you must also update the
* conf_tlsblock() function in s_conf.c to have it inherited
* from set::tls to the other config blocks!

4
src/auth.c

@ -80,7 +80,7 @@ int Auth_AutoDetectHashType(char *hash)
if (!strchr(hash, '$'))
{
/* SHA256 SSL fingerprint perhaps?
/* SHA256 certificate fingerprint perhaps?
* These are exactly 64 bytes (00112233..etc..) or 95 bytes (00:11:22:33:etc) in size.
*/
if ((strlen(hash) == 64) || (strlen(hash) == 95))
@ -394,7 +394,7 @@ static int authcheck_spkifp(Client *client, AuthConfig *as, char *para)
char *fp = spki_fingerprint(client);
if (!fp)
return 0; /* auth failed: not SSL (or other failure) */
return 0; /* auth failed: not TLS or some other failure */
if (strcasecmp(as->data, fp))
return 0; /* auth failed: mismatch */

22
src/conf.c

@ -1801,7 +1801,7 @@ void config_setdefaultsettings(Configuration *i)
config_parse_flood_generic("4:15", i, "unknown-users", FLD_CONVERSATIONS); /* 4 users, new user every 15s */
config_parse_flood_generic("90:1000", i, "unknown-users", FLD_LAG_PENALTY); /* 90 bytes / 1000 msec */
/* SSL/TLS options */
/* TLS options */
i->tls_options = safe_alloc(sizeof(TLSOptions));
snprintf(tmp, sizeof(tmp), "%s/tls/server.cert.pem", CONFDIR);
safe_strdup(i->tls_options->certificate_file, tmp);
@ -1863,9 +1863,9 @@ void postconf_defaults(void)
{
/* The message depends on whether it's reject or warn.. */
if (iConf.plaintext_policy_user == POLICY_DENY)
addmultiline(&iConf.plaintext_policy_user_message, "Insecure connection. Please reconnect using SSL/TLS.");
addmultiline(&iConf.plaintext_policy_user_message, "Insecure connection. Please reconnect using TLS.");
else if (iConf.plaintext_policy_user == POLICY_WARN)
addmultiline(&iConf.plaintext_policy_user_message, "WARNING: Insecure connection. Please consider using SSL/TLS.");
addmultiline(&iConf.plaintext_policy_user_message, "WARNING: Insecure connection. Please consider using TLS.");
}
if (!iConf.plaintext_policy_oper_message)
@ -1873,29 +1873,29 @@ void postconf_defaults(void)
/* The message depends on whether it's reject or warn.. */
if (iConf.plaintext_policy_oper == POLICY_DENY)
{
addmultiline(&iConf.plaintext_policy_oper_message, "You need to use a secure connection (SSL/TLS) in order to /OPER.");
addmultiline(&iConf.plaintext_policy_oper_message, "You need to use a secure connection (TLS) in order to /OPER.");
addmultiline(&iConf.plaintext_policy_oper_message, "See https://www.unrealircd.org/docs/FAQ#oper-requires-tls");
}
else if (iConf.plaintext_policy_oper == POLICY_WARN)
addmultiline(&iConf.plaintext_policy_oper_message, "WARNING: You /OPER'ed up from an insecure connection. Please consider using SSL/TLS.");
addmultiline(&iConf.plaintext_policy_oper_message, "WARNING: You /OPER'ed up from an insecure connection. Please consider using TLS.");
}
if (!iConf.outdated_tls_policy_user_message)
{
/* The message depends on whether it's reject or warn.. */
if (iConf.outdated_tls_policy_user == POLICY_DENY)
safe_strdup(iConf.outdated_tls_policy_user_message, "Your IRC client is using an outdated SSL/TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
safe_strdup(iConf.outdated_tls_policy_user_message, "Your IRC client is using an outdated TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
else if (iConf.outdated_tls_policy_user == POLICY_WARN)
safe_strdup(iConf.outdated_tls_policy_user_message, "WARNING: Your IRC client is using an outdated SSL/TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
safe_strdup(iConf.outdated_tls_policy_user_message, "WARNING: Your IRC client is using an outdated TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
}
if (!iConf.outdated_tls_policy_oper_message)
{
/* The message depends on whether it's reject or warn.. */
if (iConf.outdated_tls_policy_oper == POLICY_DENY)
safe_strdup(iConf.outdated_tls_policy_oper_message, "Your IRC client is using an outdated SSL/TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
safe_strdup(iConf.outdated_tls_policy_oper_message, "Your IRC client is using an outdated TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
else if (iConf.outdated_tls_policy_oper == POLICY_WARN)
safe_strdup(iConf.outdated_tls_policy_oper_message, "WARNING: Your IRC client is using an outdated SSL/TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
safe_strdup(iConf.outdated_tls_policy_oper_message, "WARNING: Your IRC client is using an outdated TLS protocol or ciphersuite ($protocol-$cipher). Please upgrade your IRC client.");
}
/* We got a chicken-and-egg problem here.. antries added without reason or ban-time
@ -6452,7 +6452,7 @@ int _test_link(ConfigFile *conf, ConfigEntry *ce)
(auth->type != AUTHTYPE_TLS_CLIENTCERTFP) && (auth->type != AUTHTYPE_SPKIFP))
{
config_error("%s:%i: password in link block should be plaintext OR should be the "
"SSL or SPKI fingerprint of the remote link (=better)",
"certificate or SPKI fingerprint of the remote link (=better)",
/* TODO: mention some faq or wiki item for more information */
cep->file->filename, cep->line_number);
errors++;
@ -7075,7 +7075,7 @@ void test_tlsblock(ConfigFile *conf, ConfigEntry *cep, int *totalerrors)
{
if (!nv_find_by_name(_TLSFlags, ceppp->name))
{
config_error("%s:%i: unknown SSL/TLS option '%s'",
config_error("%s:%i: unknown TLS option '%s'",
ceppp->file->filename,
ceppp->line_number, ceppp->name);
errors ++;

4
src/crashreport.c

@ -531,7 +531,7 @@ char *generate_crash_report(char *coredump, int *thirdpartymods)
#define CRASH_REPORT_HOST "crash.unrealircd.org"
SSL_CTX *crashreport_init_ssl(void)
SSL_CTX *crashreport_init_tls(void)
{
SSL_CTX *ctx_client;
char buf[512];
@ -587,7 +587,7 @@ int crashreport_send(char *fname)
delimiter);
snprintf(footer, sizeof(footer), "\r\n--%s--\r\n", delimiter);
ctx_client = crashreport_init_ssl();
ctx_client = crashreport_init_tls();
if (!ctx_client)
{
printf("ERROR: TLS initalization failure (I)\n");

3
src/debug.c

@ -48,9 +48,6 @@ MODVAR char serveropts[] = {
'Y',
#endif
'6',
#ifdef USE_SSL
'e',
#endif
#ifndef NO_OPEROVERRIDE
'O',
#endif

8
src/ircd.c

@ -814,7 +814,7 @@ int InitUnrealIRCd(int argc, char *argv[])
initlists();
initlist_channels();
early_init_ssl();
early_init_tls();
#ifdef USE_LIBCURL
url_init();
#endif
@ -1096,9 +1096,9 @@ int InitUnrealIRCd(int argc, char *argv[])
exit(-4);
}
if (!init_ssl())
if (!init_tls())
{
config_error("Failed to load SSL/TLS (see errors above). UnrealIRCd can not start.");
config_error("Failed to load TLS (see errors above). UnrealIRCd can not start.");
#ifdef _WIN32
win_error(); /* display error dialog box */
#endif
@ -1242,7 +1242,7 @@ void SocketLoop(void *dummy)
}
if (doreloadcert)
{
unreal_log(ULOG_INFO, "config", "CONFIG_RELOAD_TLS", NULL, "Reloading all SSL related data (./unrealircd reloadtls)");
unreal_log(ULOG_INFO, "config", "CONFIG_RELOAD_TLS", NULL, "Reloading all TLS related data (./unrealircd reloadtls)");
reinit_tls();
doreloadcert = 0;
}

4
src/modulemanager.c

@ -44,7 +44,7 @@ int mm_valid_module_name(char *name);
void free_managed_module(ManagedModule *m);
SSL_CTX *mm_init_ssl(void)
SSL_CTX *mm_init_tls(void)
{
SSL_CTX *ctx_client;
char buf1[512], buf2[512];
@ -134,7 +134,7 @@ int mm_http_request(char *url, char *fname, int follow_redirects)
snprintf(hostandport, sizeof(hostandport), "%s:%d", host, port);
ctx_client = mm_init_ssl();
ctx_client = mm_init_tls();
if (!ctx_client)
{
fprintf(stderr, "ERROR: TLS initalization failure (I)\n");

2
src/modules/certfp.c

@ -1,6 +1,6 @@
/*
* Certificate Fingerprint Module
* This grabs the SHA256 fingerprint of the SSL/TLS client certificate
* This grabs the SHA256 fingerprint of the TLS client certificate
* the user is using, shares it with the other servers (and rest of
* UnrealIRCd) and shows it in /WHOIS etc.
*

8
src/modules/chanmodes/issecure.c

@ -3,7 +3,7 @@
* (C) Copyright 2010-.. Bram Matthys (Syzop) and the UnrealIRCd team
*
* This module will indicate if a channel is secure, and if so will set +Z.
* Secure is defined as: all users on the channel are connected through SSL/TLS
* Secure is defined as: all users on the channel are connected through TLS
* Additionally, the channel has to be +z (only allow secure users to join).
* Suggested on http://bugs.unrealircd.org/view.php?id=3720
* Thanks go to fez for pushing us for some kind of method to indicate
@ -145,7 +145,7 @@ void issecure_unset(Channel *channel, Client *client, MessageTag *recv_mtags, in
mtags = NULL;
new_message_special(&me, recv_mtags, &mtags, "NOTICE %s :setting -Z", channel->name);
sendto_channel(channel, &me, NULL, 0, 0, SEND_LOCAL, mtags,
":%s NOTICE %s :User '%s' joined and is not connected through SSL/TLS, setting channel -Z (insecure)",
":%s NOTICE %s :User '%s' joined and is not connected through TLS, setting channel -Z (insecure)",
me.id, channel->name, client->name);
free_message_tags(mtags);
}
@ -175,13 +175,13 @@ void issecure_set(Channel *channel, Client *client, MessageTag *recv_mtags, int
* he is still considered a member of this channel.
*/
sendto_channel(channel, &me, client, 0, 0, SEND_LOCAL, NULL,
":%s NOTICE %s :Now all users in the channel are connected through SSL/TLS, setting channel +Z (secure)",
":%s NOTICE %s :Now all users in the channel are connected through TLS, setting channel +Z (secure)",
me.name, channel->name);
} else if (notice)
{
/* note the missing word 'now' in next line */
sendto_channel(channel, &me, NULL, 0, 0, SEND_LOCAL, NULL,
":%s NOTICE %s :All users in the channel are connected through SSL/TLS, setting channel +Z (secure)",
":%s NOTICE %s :All users in the channel are connected through TLS, setting channel +Z (secure)",
me.name, channel->name);
}
free_message_tags(mtags);

10
src/modules/chanmodes/link.c

@ -39,7 +39,7 @@ typedef enum {
LINKTYPE_BAN = 1, // +b
LINKTYPE_INVITE = 2, // +i
LINKTYPE_OPER = 3, // +O
LINKTYPE_SSL = 4, // +z
LINKTYPE_SECURE = 4, // +z
LINKTYPE_REG = 5, // +R
LINKTYPE_LIMIT = 6, // +l
LINKTYPE_BADKEY = 7, // +k
@ -312,8 +312,8 @@ int link_doforward(Client *client, Channel *channel, char *linked, linkType type
strncpy(desc, "channel is oper only", sizeof(desc));
break;
case LINKTYPE_SSL:
strncpy(desc, "channel requires SSL", sizeof(desc));
case LINKTYPE_SECURE:
strncpy(desc, "channel requires a secure connection", sizeof(desc));
break;
case LINKTYPE_REG:
@ -408,9 +408,9 @@ int link_pre_localjoin_cb(Client *client, Channel *channel, char *parv[])
if (has_channel_mode(channel, 'O') && !IsOper(client))
return link_doforward(client, channel, linked, LINKTYPE_OPER);
// SSL/TLS connected users only
// TLS connected users only
if (has_channel_mode(channel, 'z') && !IsSecureConnect(client))
return link_doforward(client, channel, linked, LINKTYPE_SSL);
return link_doforward(client, channel, linked, LINKTYPE_SECURE);
// Registered/identified users only
if (has_channel_mode(channel, 'R') && !IsRegNick(client))

2
src/modules/chanmodes/secureonly.c

@ -167,7 +167,7 @@ int secureonly_check_sajoin(Client *target, Channel *channel, Client *requester)
{
if (IsSecureOnly(channel) && !IsSecure(target))
{
sendnotice(requester, "You cannot SAJOIN %s to %s because the channel is +z and the user is not connected via SSL/TLS",
sendnotice(requester, "You cannot SAJOIN %s to %s because the channel is +z and the user is not connected via TLS",
target->name, channel->name);
return HOOK_DENY;
}

2
src/modules/invite.c

@ -483,7 +483,7 @@ CMD_FUNC(cmd_invite)
client->name, client->user->username, client->user->realhost, channel->name);
/* Logging implementation added by XeRXeS */
ircd_log(LOG_OVERRIDE,"OVERRIDE: %s (%s@%s) invited him/herself into %s (Overriding SSL/TLS-Only)",
ircd_log(LOG_OVERRIDE,"OVERRIDE: %s (%s@%s) invited him/herself into %s (Overriding TLS-Only)",
client->name, client->user->username, client->user->realhost, channel->name);
}
#ifdef OPEROVERRIDE_VERIFY

10
src/modules/jumpserver.c

@ -137,7 +137,7 @@ CMD_FUNC(cmd_jumpserver)
if ((parc < 2) || BadPtr(parv[1]))
{
if (jss && jss->ssl_server)
sendnotice(client, "JumpServer is \002ENABLED\002 to %s:%d (SSL/TLS: %s:%d) with reason '%s'",
sendnotice(client, "JumpServer is \002ENABLED\002 to %s:%d (TLS: %s:%d) with reason '%s'",
jss->server, jss->port, jss->ssl_server, jss->ssl_port, jss->reason);
else
if (jss)
@ -178,9 +178,9 @@ CMD_FUNC(cmd_jumpserver)
}
/* Parsing code follows...
* The parsing of the SSL stuff is still done even on non-SSL,
* The parsing of the TLS stuff is still done even on non-TLS,
* but it's simply not used/applied :).
* Reason for this is to reduce non-SSL/SSL inconsistency issues.
* Reason for this is to reduce inconsistency issues.
*/
serv = parv[1];
@ -212,7 +212,7 @@ CMD_FUNC(cmd_jumpserver)
sslport = atoi(p);
if ((sslport < 1) || (sslport > 65535))
{
sendnotice(client, "Invalid SSL/TLS serverport specified (%d)", sslport);
sendnotice(client, "Invalid TLS serverport specified (%d)", sslport);
return;
}
}
@ -248,7 +248,7 @@ CMD_FUNC(cmd_jumpserver)
/* Broadcast/log */
if (sslserv)
snprintf(logbuf, sizeof(logbuf), "%s (%s@%s) added JUMPSERVER redirect for %s to %s:%d [SSL/TLS: %s:%d] with reason '%s'",
snprintf(logbuf, sizeof(logbuf), "%s (%s@%s) added JUMPSERVER redirect for %s to %s:%d [TLS: %s:%d] with reason '%s'",
client->name, client->user->username, client->user->realhost,
all ? "ALL CLIENTS" : "all new clients",
jss->server, jss->port, jss->ssl_server, jss->ssl_port, jss->reason);

10
src/modules/link-security.c

@ -141,7 +141,7 @@ int certificate_verification_active(Client *client)
/** Calculate our (local) link-security level.
* This means stepping through the list of directly linked
* servers and determining if they are linked via SSL and
* servers and determining if they are linked via TLS and
* certificate verification is active.
* @returns value from 0 to 2.
*/
@ -155,7 +155,7 @@ int our_link_security(void)
if (IsLocalhost(client))
continue; /* server connected via localhost */
if (!IsSecure(client))
return 0; /* Any non-SSL server (which is not localhost) results in level 0. */
return 0; /* Any non-TLS server (which is not localhost) results in level 0. */
if (!certificate_verification_active(client))
level = 1; /* downgrade to level 1 */
}
@ -272,9 +272,9 @@ CMD_FUNC(cmd_linksecurity)
sendtxtnumeric(client, "= Legend =");
sendtxtnumeric(client, "Higher level means better link security");
sendtxtnumeric(client, "Level UNKNOWN: Not an UnrealIRCd server (eg: services) or an old version (<4.0.14)");
sendtxtnumeric(client, "Level 0: One or more servers linked insecurely (not using SSL/TLS)");
sendtxtnumeric(client, "Level 1: Servers are linked with SSL/TLS but at least one of them is not verifying certificates");
sendtxtnumeric(client, "Level 2: Servers linked with SSL/TLS and certificates are properly verified");
sendtxtnumeric(client, "Level 0: One or more servers linked insecurely (not using TLS)");
sendtxtnumeric(client, "Level 1: Servers are linked with TLS but at least one of them is not verifying certificates");
sendtxtnumeric(client, "Level 2: Servers linked with TLS and certificates are properly verified");
sendtxtnumeric(client, "-");
sendtxtnumeric(client, "= More information =");
sendtxtnumeric(client, "To understand more about link security and how to improve your level");

12
src/modules/server.c

@ -781,7 +781,7 @@ skip_host_check:
"Link with server $client.details denied: verify-certificate failed: $certificate_failure_msg",
log_data_string("certificate_failure_msg", "not using TLS"),
log_data_link_block(link));
exit_client(client, NULL, "Link denied (Not using SSL/TLS)");
exit_client(client, NULL, "Link denied (Not using TLS)");
return 0;
}
if (!verify_certificate(client->local->ssl, link->servername, &errstr))
@ -820,20 +820,20 @@ skip_host_check:
unreal_log(ULOG_ERROR, "link", "LINK_DENIED_NO_TLS", client,
"Link with server $client.details denied: "
"Server needs to use TLS (set::plaintext-policy::server is 'deny')\n"
"See https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS",
"See https://www.unrealircd.org/docs/FAQ#server-requires-tls",
log_data_link_block(link));
exit_client(client, NULL, "Servers need to use SSL/TLS (set::plaintext-policy::server is 'deny')");
exit_client(client, NULL, "Servers need to use TLS (set::plaintext-policy::server is 'deny')");
return 0;
}
if (IsSecure(client) && (iConf.outdated_tls_policy_server == POLICY_DENY) && outdated_tls_client(client))
{
unreal_log(ULOG_ERROR, "link", "LINK_DENIED_OUTDATED_TLS", client,
"Link with server $client.details denied: "
"Server is using an outdated SSL/TLS protocol or cipher ($tls_cipher) and set::outdated-tls-policy::server is 'deny'.\n"
"Server is using an outdated TLS protocol or cipher ($tls_cipher) and set::outdated-tls-policy::server is 'deny'.\n"
"See https://www.unrealircd.org/docs/FAQ#server-outdated-tls",
log_data_link_block(link),
log_data_string("tls_cipher", tls_get_cipher(client->local->ssl)));
exit_client(client, NULL, "Server using outdates SSL/TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
exit_client(client, NULL, "Server using outdates TLS protocol or cipher (set::outdated-tls-policy::server is 'deny')");
return 0;
}
/* This one is at the end, because it causes us to delink another server,
@ -1881,7 +1881,7 @@ void _connect_server(ConfigItem_link *aconf, Client *by, struct hostent *hp)
if (aconf->outgoing.options & CONNECT_TLS)
{
SetTLSConnectHandshake(client);
fd_setselect(client->local->fd, FD_SELECT_WRITE, ircd_SSL_client_handshake, client);
fd_setselect(client->local->fd, FD_SELECT_WRITE, unreal_tls_client_handshake, client);
}
else
fd_setselect(client->local->fd, FD_SELECT_WRITE, completed_connection, client);

4
src/modules/starttls.c

@ -71,7 +71,7 @@ CMD_FUNC(cmd_starttls)
ctx = client->local->listener->ssl_ctx ? client->local->listener->ssl_ctx : ctx_server;
tls_options = client->local->listener->tls_options ? client->local->listener->tls_options->options : iConf.tls_options->options;
/* Is SSL support enabled? (may not, if failed to load cert/keys/..) */
/* This should never happen? */
if (!ctx)
{
/* Pretend STARTTLS is an unknown command, this is the safest approach */
@ -102,7 +102,7 @@ CMD_FUNC(cmd_starttls)
SetTLS(client);
SSL_set_fd(client->local->ssl, client->local->fd);
SSL_set_nonblocking(client->local->ssl);
if (!ircd_SSL_accept(client, client->local->fd))
if (!unreal_tls_accept(client, client->local->fd))
{
SSL_set_shutdown(client->local->ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(client->local->ssl);

2
src/modules/sts.c

@ -66,7 +66,7 @@ int sts_capability_visible(Client *client)
if (!IsSecure(client))
{
if (iConf.tls_options && iConf.tls_options->sts_port)
return 1; /* YES, non-SSL user and set::tls::sts-policy configured */
return 1; /* YES, non-TLS user and set::tls::sts-policy configured */
return 0; /* NO, there is no sts-policy */
}

2
src/modules/tkl.c

@ -1187,7 +1187,7 @@ void tkl_general_stats(Client *client)
/** ZLINE - Kill a user as soon as it tries to connect to the server.
* This happens before any DNS/ident lookups have been done and
* before any data has been processed (including no SSL/TLS handshake, etc.)
* before any data has been processed (including no TLS handshake, etc.)
*/
CMD_FUNC(cmd_zline)
{

6
src/modules/tls_antidos.c

@ -1,6 +1,6 @@
/*
* SSL/TLS Anti DoS module
* This protects against SSL renegotiation attacks while still allowing us
* TLS Anti DoS module
* This protects against TLS renegotiation attacks while still allowing us
* to leave renegotiation on with all it's security benefits.
*
* (C) Copyright 2015- Bram Matthys and the UnrealIRCd team.
@ -104,7 +104,7 @@ int tls_antidos_handshake(Client *client)
return 0;
}
/** Called by OpenSSL when the SSL structure is freed (so we can free up our custom struct too) */
/** Called by OpenSSL when the SSL * structure is freed (so we can free up our custom struct too) */
void tls_antidos_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
safe_free(ptr);

8
src/modules/usermodes/secureonlymsg.c

@ -1,5 +1,5 @@
/*
* Recieve private messages only from SSL/TLS users (User mode +Z)
* Recieve private messages only from TLS users (User mode +Z)
* (C) Copyright 2000-.. Bram Matthys (Syzop) and the UnrealIRCd team
* Idea from "Stealth" <stealth@x-tab.org>
*
@ -65,7 +65,7 @@ int secureonlymsg_can_send_to_user(Client *client, Client *target, char **text,
if (ValidatePermissionsForPath("client:override:message:secureonlymsg",client,target,NULL,text))
return HOOK_CONTINUE; /* bypass this restriction */
*errmsg = "You must be connected via SSL/TLS to message this user";
*errmsg = "You must be connected via TLS to message this user";
return HOOK_DENY;
} else
if (IsSecureOnlyMsg(client) && !IsSecureConnect(target) && !IsULine(target))
@ -74,11 +74,11 @@ int secureonlymsg_can_send_to_user(Client *client, Client *target, char **text,
return HOOK_CONTINUE; /* bypass this restriction */
/* Similar to above but in this case we are +Z and are trying to message
* an SSL user (who does not have +Z set, note the 'else'). This does not
* a secure user (who does not have +Z set, note the 'else'). This does not
* make sense since they could never message back to us. Better block the
* message than leave the user confused.
*/
*errmsg = "Recipient is not connected via SSL/TLS and you are +Z";
*errmsg = "Recipient is not connected via TLS and you are +Z";
return HOOK_DENY;
}

8
src/serv.c

@ -351,7 +351,7 @@ CMD_FUNC(cmd_credits)
}
}
/** Return flags for a client (connection), eg 's' for SSL/TLS - used in STATS L/l */
/** Return flags for a client (connection), eg 's' for TLS - used in STATS L/l */
char *get_client_status(Client *client)
{
static char buf[10];
@ -1308,17 +1308,17 @@ void lost_server_link(Client *client, char *tls_error_string)
}
}
/** Reject an insecure (outgoing) server link that isn't SSL/TLS.
/** Reject an insecure (outgoing) server link that isn't TLS.
* This function is void and not int because it can be called from other void functions
*/
void reject_insecure_server(Client *client)
{
sendto_umode(UMODE_OPER, "Could not link with server %s with SSL/TLS enabled. "
sendto_umode(UMODE_OPER, "Could not link with server %s with TLS enabled. "
"Please check logs on the other side of the link. "
"If you insist with insecure linking then you can set link::options::outgoing::insecure "
"(NOT recommended!).",
client->name);
dead_socket(client, "Rejected link without SSL/TLS");
dead_socket(client, "Rejected link without TLS");
}
/** Start server handshake - called after the outgoing connection has been established.

18
src/socket.c

@ -281,14 +281,14 @@ void close_listener(ConfigItem_listen *listener)
ircd_log(LOG_ERROR, "IRCd no longer listening on %s:%d (%s)%s",
listener->ip, listener->port,
listener->ipv6 ? "IPv6" : "IPv4",
listener->options & LISTENER_TLS ? " (SSL/TLS)" : "");
listener->options & LISTENER_TLS ? " (TLS)" : "");
fd_close(listener->fd);
--OpenFiles;
}
listener->options &= ~LISTENER_BOUND;
listener->fd = -1;
/* We can already free the SSL/TLS context, since it is only
/* We can already free the TLS context, since it is only
* used for new connections, which we no longer accept.
*/
if (listener->ssl_ctx)
@ -460,7 +460,7 @@ void completed_connection(int fd, int revents, void *data)
if (IsHandshake(client))
{
/* Due to delayed ircd_SSL_connect call */
/* Due to delayed unreal_tls_connect call */
start_server_handshake(client);
fd_setselect(fd, FD_SELECT_READ, read_packet, client);
return;
@ -836,8 +836,8 @@ refuse_client:
SetTLS(client);
SSL_set_fd(client->local->ssl, fd);
SSL_set_nonblocking(client->local->ssl);
SSL_set_ex_data(client->local->ssl, ssl_client_index, client);
if (!ircd_SSL_accept(client, fd))
SSL_set_ex_data(client->local->ssl, tls_client_index, client);
if (!unreal_tls_accept(client, fd))
{
SSL_set_shutdown(client->local->ssl, SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(client->local->ssl);
@ -856,7 +856,7 @@ static int dns_special_flag = 0; /* This is for an "interesting" race condition
/** Start of normal client handshake - DNS and ident lookups, etc.
* @param client The client
* @note This is called directly after accept() -> add_connection() for plaintext.
* For SSL/TLS connections this is called after the SSL/TLS handshake is completed.
* For TLS connections this is called after the TLS handshake is completed.
*/
void start_of_normal_client_handshake(Client *client)
{
@ -935,7 +935,7 @@ void read_packet(int fd, int revents, void *data)
fd_setselect(fd, FD_SELECT_READ, read_packet, client);
/* Restore handling of writes towards send_queued_cb(), since
* it may be overwritten in an earlier call to read_packet(),
* to handle (SSL) writes by read_packet(), see below under
* to handle (TLS) writes by read_packet(), see below under
* SSL_ERROR_WANT_WRITE.
*/
fd_setselect(fd, FD_SELECT_WRITE, send_queued_cb, client);
@ -1102,11 +1102,11 @@ int ipv6_capable(void)
/** Attempt to deliver data to a client.
* This function is only called from send_queued() and will deal
* with sending to the SSL/TLS or plaintext connection.
* with sending to the TLS or plaintext connection.
* @param cptr The client
* @param str The string to send
* @param len The length of the string
* @param want_read In case of SSL/TLS it may happen that SSL_write()
* @param want_read In case of TLS it may happen that SSL_write()
* needs to READ data. If this happens then this
* function will set *want_read to 1.
* The upper layer should then call us again when

164
src/tls.c

@ -19,7 +19,7 @@
*/
/** @file
* @brief SSL/TLS functions
* @brief TLS functions
*/
#include "unrealircd.h"
@ -31,33 +31,32 @@ extern HINSTANCE hInst;
extern HWND hwIRCDWnd;
#endif
#define SAFE_SSL_READ 1
#define SAFE_SSL_WRITE 2
#define SAFE_SSL_ACCEPT 3
#define SAFE_SSL_CONNECT 4
#define FUNC_TLS_READ 1
#define FUNC_TLS_WRITE 2
#define FUNC_TLS_ACCEPT 3
#define FUNC_TLS_CONNECT 4
/* Forward declarations */
static int fatal_ssl_error(int ssl_error, int where, int my_errno, Client *client);
static int fatal_tls_error(int ssl_error, int where, int my_errno, Client *client);
int cipher_check(SSL_CTX *ctx, char **errstr);
int certificate_quality_check(SSL_CTX *ctx, char **errstr);
/* The SSL structures */
/* The TLS structures */
SSL_CTX *ctx_server;
SSL_CTX *ctx_client;
char *SSLKeyPasswd;
char *TLSKeyPasswd;
typedef struct {
int *size;
char **buffer;
} StreamIO;
MODVAR int ssl_client_index = 0;
MODVAR int tls_client_index = 0;
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); }
#ifdef _WIN32
/** Ask SSL private key password (Windows GUI mode only) */
LRESULT SSLPassDLG(HWND hDlg, UINT Message, WPARAM wParam, LPARAM lParam)
/** Ask private key password (Windows GUI mode only) */
LRESULT TLS_key_passwd_dialog(HWND hDlg, UINT Message, WPARAM wParam, LPARAM lParam)
{
static StreamIO *stream;
switch (Message) {
@ -96,7 +95,7 @@ char *ssl_error_str(int err, int my_errno)
switch(err)
{
case SSL_ERROR_NONE:
ssl_errstr = "SSL: No error";
ssl_errstr = "OpenSSL: No error";
break;
case SSL_ERROR_SSL:
ssl_errstr = "Internal OpenSSL error or protocol error";
@ -126,8 +125,8 @@ char *ssl_error_str(int err, int my_errno)
return ssl_errstr;
}
/** Ask SSL private key password (rare) */
int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *password)
/** Ask certificate private key password (rare) */
int TLS_key_passwd_cb(char *buf, int size, int rwflag, void *password)
{
char *pass;
static int before = 0;
@ -143,19 +142,19 @@ int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *password)
return strlen(buf);
}
#ifndef _WIN32
pass = getpass("Password for SSL private key: ");
pass = getpass("Password for TLS private key: ");
#else
pass = passbuf;
stream.buffer = &pass;
stream.size = &passsize;
DialogBoxParam(hInst, "SSLPass", hwIRCDWnd, (DLGPROC)SSLPassDLG, (LPARAM)&stream);
DialogBoxParam(hInst, "TLSKey", hwIRCDWnd, (DLGPROC)TLS_key_passwd_dialog, (LPARAM)&stream);
#endif
if (pass)
{
strlcpy(buf, pass, size);
strlcpy(beforebuf, pass, sizeof(beforebuf));
before = 1;
SSLKeyPasswd = beforebuf;
TLSKeyPasswd = beforebuf;
return (strlen(buf));
}
return 0;
@ -173,7 +172,7 @@ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
/** Get Client pointer by SSL pointer */
Client *get_client_by_ssl(SSL *ssl)
{
return SSL_get_ex_data(ssl, ssl_client_index);
return SSL_get_ex_data(ssl, tls_client_index);
}
/** Set requested server name as indicated by SNI */
@ -199,7 +198,7 @@ static int ssl_hostname_callback(SSL *ssl, int *unk, void *arg)
return SSL_TLSEXT_ERR_OK;
}
/** Disable SSL/TLS protocols as set by config */
/** Disable TLS protocols as set by config */
void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
{
/* OpenSSL has three mechanisms for protocol version control... */
@ -223,7 +222,7 @@ void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
/* The remaining two mechanisms are:
* The old way, which is most flexible, is to use:
* SSL_CTX_set_options(... SSL_OP_NO_<version>) which allows
* you to disable each and every specific SSL/TLS version.
* you to disable each and every specific TLS version.
*
* And the new way, which only allows setting a
* minimum and maximum protocol version, using:
@ -273,10 +272,10 @@ void disable_ssl_protocols(SSL_CTX *ctx, TLSOptions *tlsoptions)
#endif
}
/** Initialize SSL/TLS context
/** Initialize TLS context
* @param tlsoptions The ::tls-options configuration
* @param server Set to 1 if we are initializing a server, 0 for client.
* @returns The SSL/TLS context (SSL_CTX) or NULL in case of error.
* @returns The TLS context (SSL_CTX) or NULL in case of error.
*/
SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
{
@ -296,14 +295,14 @@ SSL_CTX *init_ctx(TLSOptions *tlsoptions, int server)
return NULL;
}
disable_ssl_protocols(ctx, tlsoptions);
SSL_CTX_set_default_passwd_cb(ctx, ssl_pem_passwd_cb);
SSL_CTX_set_default_passwd_cb(ctx, TLS_key_passwd_cb);
if (server && !(tlsoptions->options & TLSFLAG_DISABLECLIENTCERT))
{
/* We tell OpenSSL/LibreSSL to verify the certificate and set our callback.
* Our callback will always accept the certificate since actual checking
* will take place elsewhere. Why? Because certificate is (often) delayed
* until after the SSL handshake. Such as in the case of link blocks where
* until after the TLS handshake. Such as in the case of link blocks where
* _verify_link() will take care of it only after we learned what server
* we are dealing with (and if we should verify certificates for that server).
*/
@ -463,34 +462,34 @@ MODVAR EVP_MD *sha1_function; /**< SHA1 function for EVP_DigestInit_ex() call */
MODVAR EVP_MD *md5_function; /**< MD5 function for EVP_DigestInit_ex() call */
#endif
/** Early initalization of SSL/TLS subsystem - called on startup */
int early_init_ssl(void)
/** Early initalization of TLS subsystem - called on startup */
int early_init_tls(void)
{
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
/* This is used to track (SSL *) <--> (Client *) relationships: */
ssl_client_index = SSL_get_ex_new_index(0, "ssl_client", NULL, NULL, NULL);
tls_client_index = SSL_get_ex_new_index(0, "tls_client", NULL, NULL, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
sha256_function = EVP_MD_fetch(NULL, "SHA2-256", NULL);
if (!sha256_function)
{
fprintf(stderr, "Could not find SHA256 algorithm in SSL library\n");
fprintf(stderr, "Could not find SHA256 algorithm in TLS library\n");
exit(6);
}
sha1_function = EVP_MD_fetch(NULL, "SHA1", NULL);
if (!sha1_function)
{
fprintf(stderr, "Could not find SHA1 algorithm in SSL library\n");
fprintf(stderr, "Could not find SHA1 algorithm in TLS library\n");
exit(6);
}
md5_function = EVP_MD_fetch(NULL, "MD5", NULL);
if (!md5_function)
{
fprintf(stderr, "Could not find MD5 algorithm in SSL library\n");
fprintf(stderr, "Could not find MD5 algorithm in TLS library\n");
exit(6);
}
#endif
@ -500,9 +499,8 @@ int early_init_ssl(void)
/** Initialize the server and client contexts.
* This is only possible after reading the configuration file.
*/
int init_ssl(void)
int init_tls(void)
{
/* SSL preliminaries. We keep the certificate and key with the context. */
ctx_server = init_ctx(iConf.tls_options, 1);
if (!ctx_server)
return 0;
@ -512,7 +510,7 @@ int init_ssl(void)
return 1;
}
/** Reinitialize SSL/TLS server and client contexts - after REHASH -tls
/** Reinitialize TLS server and client contexts - after REHASH -tls
*/
void reinit_tls(void)
{
@ -606,7 +604,7 @@ void SSL_set_nonblocking(SSL *s)
BIO_set_nbio(SSL_get_wbio(s),1);
}
/** Get SSL/TLS ciphersuite */
/** Get TLS ciphersuite */
char *tls_get_cipher(SSL *ssl)
{
static char buf[256];
@ -633,8 +631,8 @@ TLSOptions *get_tls_options_for_client(Client *client)
return iConf.tls_options;
}
/** Outgoing SSL connect (read: handshake) to another server. */
void ircd_SSL_client_handshake(int fd, int revents, void *data)
/** Outgoing TLS connect (read: handshake) to another server. */
void unreal_tls_client_handshake(int fd, int revents, void *data)
{
Client *client = data;
SSL_CTX *ctx = (client->serv && client->serv->conf && client->serv->conf->ssl_ctx) ? client->serv->conf->ssl_ctx : ctx_client;
@ -681,7 +679,7 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
SetTLS(client);
switch (ircd_SSL_connect(client, fd))
switch (unreal_tls_connect(client, fd))
{
case -1:
fd_close(fd);
@ -699,15 +697,15 @@ void ircd_SSL_client_handshake(int fd, int revents, void *data)
}
/** Called by I/O engine to (re)try accepting an SSL/TLS connection */
static void ircd_SSL_accept_retry(int fd, int revents, void *data)
/** Called by I/O engine to (re)try accepting an TLS connection */
static void unreal_tls_accept_retry(int fd, int revents, void *data)
{
Client *client = data;
ircd_SSL_accept(client, fd);
unreal_tls_accept(client, fd);
}
/** Accept an SSL/TLS connection - that is: do the TLS handshake */
int ircd_SSL_accept(Client *client, int fd)
/** Accept an TLS connection - that is: do the TLS handshake */
int unreal_tls_accept(Client *client, int fd)
{
int ssl_err;
@ -722,26 +720,26 @@ int ircd_SSL_accept(Client *client, int fd)
{
char buf[512];
snprintf(buf, sizeof(buf),
"ERROR :STARTTLS received but this is an SSL-only port. Check your connect settings. "
"If this is a server linking in then add 'ssl' in your link::outgoing::options block.\r\n");
"ERROR :STARTTLS received but this is a TLS-only port. Check your connect settings. "
"If this is a server linking in then add 'tls' in your link::outgoing::options block.\r\n");
(void)send(fd, buf, strlen(buf), 0);
return fatal_ssl_error(SSL_ERROR_SSL, SAFE_SSL_ACCEPT, ERRNO, client);
return fatal_tls_error(SSL_ERROR_SSL, FUNC_TLS_ACCEPT, ERRNO, client);
}
if ((n >= 4) && (!strncmp(buf, "USER", 4) || !strncmp(buf, "NICK", 4) || !strncmp(buf, "PASS", 4) || !strncmp(buf, "CAP ", 4)))
{
char buf[512];
snprintf(buf, sizeof(buf),
"ERROR :NON-SSL command received on SSL-only port. Check your connection settings.\r\n");
"ERROR :NON-TLS command received on TLS-only port. Check your connection settings.\r\n");
(void)send(fd, buf, strlen(buf), 0);
return fatal_ssl_error(SSL_ERROR_SSL, SAFE_SSL_ACCEPT, ERRNO, client);
return fatal_tls_error(SSL_ERROR_SSL, FUNC_TLS_ACCEPT, ERRNO, client);
}
if ((n >= 8) && (!strncmp(buf, "PROTOCTL", 8) || !strncmp(buf, "SERVER", 6)))
{
char buf[512];
snprintf(buf, sizeof(buf),
"ERROR :NON-SSL command received on SSL-only port. Check your connection settings.\r\n");
"ERROR :NON-TLS command received on TLS-only port. Check your connection settings.\r\n");
(void)send(fd, buf, strlen(buf), 0);
return fatal_ssl_error(SSL_ERROR_SSL, SAFE_SSL_ACCEPT, ERRNO, client);
return fatal_tls_error(SSL_ERROR_SSL, FUNC_TLS_ACCEPT, ERRNO, client);
}
if (n > 0)
SetNextCall(client);
@ -756,17 +754,17 @@ int ircd_SSL_accept(Client *client, int fd)
{
return 1;
}
return fatal_ssl_error(ssl_err, SAFE_SSL_ACCEPT, ERRNO, client);
return fatal_tls_error(ssl_err, FUNC_TLS_ACCEPT, ERRNO, client);
case SSL_ERROR_WANT_READ:
fd_setselect(fd, FD_SELECT_READ, ircd_SSL_accept_retry, client);
fd_setselect(fd, FD_SELECT_READ, unreal_tls_accept_retry, client);
fd_setselect(fd, FD_SELECT_WRITE, NULL, client);
return 1;
case SSL_ERROR_WANT_WRITE:
fd_setselect(fd, FD_SELECT_READ, NULL, client);
fd_setselect(fd, FD_SELECT_WRITE, ircd_SSL_accept_retry, client);
fd_setselect(fd, FD_SELECT_WRITE, unreal_tls_accept_retry, client);
return 1;
default:
return fatal_ssl_error(ssl_err, SAFE_SSL_ACCEPT, ERRNO, client);
return fatal_tls_error(ssl_err, FUNC_TLS_ACCEPT, ERRNO, client);
}
/* NOTREACHED */
return -1;
@ -778,14 +776,14 @@ int ircd_SSL_accept(Client *client, int fd)
}
/** Called by the I/O engine to (re)try to connect to a remote host */
static void ircd_SSL_connect_retry(int fd, int revents, void *data)
static void unreal_tls_connect_retry(int fd, int revents, void *data)
{
Client *client = data;
ircd_SSL_connect(client, fd);
unreal_tls_connect(client, fd);
}
/** Connect to a remote host - that is: connect and do the TLS handshake */
int ircd_SSL_connect(Client *client, int fd)
int unreal_tls_connect(Client *client, int fd)
{
int ssl_err;
@ -797,23 +795,23 @@ int ircd_SSL_connect(Client *client, int fd)
case SSL_ERROR_SYSCALL:
if (ERRNO == P_EINTR || ERRNO == P_EWOULDBLOCK || ERRNO == P_EAGAIN)
{
/* Hmmm. This implementation is different than in ircd_SSL_accept().
/* Hmmm. This implementation is different than in unreal_tls_accept().
* One of them must be wrong -- better check! (TODO)
*/
fd_setselect(fd, FD_SELECT_READ|FD_SELECT_WRITE, ircd_SSL_connect_retry, client);
fd_setselect(fd, FD_SELECT_READ|FD_SELECT_WRITE, unreal_tls_connect_retry, client);
return 0;
}
return fatal_ssl_error(ssl_err, SAFE_SSL_CONNECT, ERRNO, client);
return fatal_tls_error(ssl_err, FUNC_TLS_CONNECT, ERRNO, client);
case SSL_ERROR_WANT_READ:
fd_setselect(fd, FD_SELECT_READ, ircd_SSL_connect_retry, client);
fd_setselect(fd, FD_SELECT_READ, unreal_tls_connect_retry, client);
fd_setselect(fd, FD_SELECT_WRITE, NULL, client);
return 0;
case SSL_ERROR_WANT_WRITE:
fd_setselect(fd, FD_SELECT_READ, NULL, client);
fd_setselect(fd, FD_SELECT_WRITE, ircd_SSL_connect_retry, client);
fd_setselect(fd, FD_SELECT_WRITE, unreal_tls_connect_retry, client);
return 0;
default:
return fatal_ssl_error(ssl_err, SAFE_SSL_CONNECT, ERRNO, client);
return fatal_tls_error(ssl_err, FUNC_TLS_CONNECT, ERRNO, client);
}
/* NOTREACHED */
return -1;
@ -825,7 +823,7 @@ int ircd_SSL_connect(Client *client, int fd)
return 1;
}
/** Shutdown a SSL/TLS connection (gracefully) */
/** Shutdown a TLS connection (gracefully) */
int SSL_smart_shutdown(SSL *ssl)
{
char i;
@ -840,14 +838,14 @@ int SSL_smart_shutdown(SSL *ssl)
}
/**
* Report a fatal SSL error and disconnect the associated client.
* Report