| 1 |
|
/* |
| 2 |
|
* ircd-hybrid: an advanced, lightweight Internet Relay Chat Daemon (ircd) |
| 3 |
|
* |
| 4 |
+ |
* Copyright (c) 2015 Attila Molnar <attilamolnar@hush.com> |
| 5 |
+ |
* Copyright (c) 2015 Adam <Adam@anope.org> |
| 6 |
|
* Copyright (c) 2005-2016 ircd-hybrid development team |
| 7 |
|
* |
| 8 |
|
* This program is free software; you can redistribute it and/or modify |
| 30 |
|
#include "tls.h" |
| 31 |
|
#include "conf.h" |
| 32 |
|
#include "log.h" |
| 33 |
< |
#include "rsa.h" |
| 33 |
> |
#include "misc.h" |
| 34 |
|
#include "memory.h" |
| 35 |
|
|
| 36 |
|
#ifdef HAVE_TLS_OPENSSL |
| 37 |
|
|
| 38 |
+ |
static int TLS_initialized; |
| 39 |
+ |
|
| 40 |
+ |
/* |
| 41 |
+ |
* report_crypto_errors - Dump crypto error list to log |
| 42 |
+ |
*/ |
| 43 |
+ |
static void |
| 44 |
+ |
report_crypto_errors(void) |
| 45 |
+ |
{ |
| 46 |
+ |
unsigned long e = 0; |
| 47 |
+ |
|
| 48 |
+ |
while ((e = ERR_get_error())) |
| 49 |
+ |
ilog(LOG_TYPE_IRCD, "SSL error: %s", ERR_error_string(e, 0)); |
| 50 |
+ |
} |
| 51 |
+ |
|
| 52 |
|
static int |
| 53 |
|
always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) |
| 54 |
|
{ |
| 55 |
|
return 1; |
| 56 |
|
} |
| 57 |
|
|
| 58 |
+ |
int |
| 59 |
+ |
tls_is_initialized(void) |
| 60 |
+ |
{ |
| 61 |
+ |
return TLS_initialized; |
| 62 |
+ |
} |
| 63 |
+ |
|
| 64 |
|
/* tls_init() |
| 65 |
|
* |
| 66 |
|
* inputs - nothing |
| 90 |
|
SSL_CTX_set_session_cache_mode(ConfigServerInfo.tls_ctx.server_ctx, SSL_SESS_CACHE_OFF); |
| 91 |
|
SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, "EECDH+HIGH:EDH+HIGH:HIGH:!aNULL"); |
| 92 |
|
|
| 93 |
< |
#if OPENSSL_VERSION_NUMBER >= 0x009080FFL && !defined(OPENSSL_NO_ECDH) |
| 94 |
< |
{ |
| 73 |
< |
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| 93 |
> |
#ifndef OPENSSL_NO_ECDH |
| 94 |
> |
EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| 95 |
|
|
| 96 |
< |
if (key) |
| 97 |
< |
{ |
| 98 |
< |
SSL_CTX_set_tmp_ecdh(ConfigServerInfo.tls_ctx.server_ctx, key); |
| 99 |
< |
EC_KEY_free(key); |
| 79 |
< |
} |
| 96 |
> |
if (key) |
| 97 |
> |
{ |
| 98 |
> |
SSL_CTX_set_tmp_ecdh(ConfigServerInfo.tls_ctx.server_ctx, key); |
| 99 |
> |
EC_KEY_free(key); |
| 100 |
|
} |
| 101 |
|
|
| 102 |
|
SSL_CTX_set_options(ConfigServerInfo.tls_ctx.server_ctx, SSL_OP_SINGLE_ECDH_USE); |
| 122 |
|
int |
| 123 |
|
tls_new_cred(void) |
| 124 |
|
{ |
| 125 |
+ |
TLS_initialized = 0; |
| 126 |
+ |
|
| 127 |
|
if (!ConfigServerInfo.ssl_certificate_file || !ConfigServerInfo.rsa_private_key_file) |
| 128 |
|
return 1; |
| 129 |
|
|
| 172 |
|
ilog(LOG_TYPE_IRCD, "Ignoring serverinfo::ssl_dh_param_file -- could not open/read Diffie-Hellman parameter file"); |
| 173 |
|
} |
| 174 |
|
|
| 175 |
< |
#if OPENSSL_VERSION_NUMBER >= 0x009080FFL && !defined(OPENSSL_NO_ECDH) |
| 175 |
> |
#ifndef OPENSSL_NO_ECDH |
| 176 |
|
if (ConfigServerInfo.ssl_dh_elliptic_curve) |
| 177 |
|
{ |
| 178 |
|
int nid = 0; |
| 216 |
|
} |
| 217 |
|
} |
| 218 |
|
|
| 219 |
+ |
if (ConfigServerInfo.ssl_cipher_list) |
| 220 |
+ |
SSL_CTX_set_cipher_list(ConfigServerInfo.tls_ctx.server_ctx, ConfigServerInfo.ssl_cipher_list); |
| 221 |
+ |
|
| 222 |
+ |
TLS_initialized = 1; |
| 223 |
|
return 1; |
| 224 |
|
} |
| 225 |
|
|
| 331 |
|
{ |
| 332 |
|
SSL *ssl; |
| 333 |
|
|
| 334 |
+ |
if (!TLS_initialized) |
| 335 |
+ |
return 0; |
| 336 |
+ |
|
| 337 |
|
if (role == TLS_ROLE_SERVER) |
| 338 |
|
ssl = SSL_new(ConfigServerInfo.tls_ctx.server_ctx); |
| 339 |
|
else |
