Explicitly test for the empty string in Channel_UserHasMode()

[ngircd-alex.git] / src / ngircd / conn-ssl.c

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index ae5fd572ae94abf7dbd090100a83535ca9219b0e..cb066dab98c391c5ea9455cb35e5a63a4106a3f5 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -65,13 +65,14 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c ));
 typedef struct {
        int refcnt;
        gnutls_certificate_credentials_t x509_cred;
+       gnutls_dh_params_t dh_params;
 } x509_cred_slot;
 
 static array x509_creds = INIT_ARRAY;
 static size_t x509_cred_idx;
 
 static gnutls_dh_params_t dh_params;
-static gnutls_priority_t priorities_cache;
+static gnutls_priority_t priorities_cache = NULL;
 static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void ));
 #endif
 
@@ -279,12 +280,13 @@ void ConnSSL_Free(CONNECTION *c)
        assert(slot->x509_cred != NULL);
        slot->refcnt--;
        if ((c->ssl_state.x509_cred_idx != x509_cred_idx) && (slot->refcnt <= 0)) {
-               Log(LOG_INFO, "Discarding X509 certificate credentials from slot %zd.",
-                   c->ssl_state.x509_cred_idx);
-               /* TODO/FIXME: DH parameters will still leak memory. */
+               LogDebug("Discarding X509 certificate credentials from slot %zd.",
+                        c->ssl_state.x509_cred_idx);
                gnutls_certificate_free_keys(slot->x509_cred);
                gnutls_certificate_free_credentials(slot->x509_cred);
                slot->x509_cred = NULL;
+               gnutls_dh_params_deinit(slot->dh_params);
+               slot->dh_params = NULL;
                slot->refcnt = 0;
        }
 #endif
@@ -381,6 +383,9 @@ out:
        if (!ConnSSL_LoadServerKey_gnutls())
                goto out;
 
+       if (priorities_cache != NULL) {
+               gnutls_priority_deinit(priorities_cache);
+       }
        if (gnutls_priority_init(&priorities_cache, Conf_SSLOptions.CipherList,
                                 NULL) != GNUTLS_E_SUCCESS) {
                Log(LOG_ERR,
@@ -416,12 +421,6 @@ ConnSSL_LoadServerKey_gnutls(void)
                return false;
        }
 
-       cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
-       if (!cert_file) {
-               Log(LOG_ERR, "No SSL server key configured!");
-               return false;
-       }
-
        if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
                Log(LOG_WARNING,
                    "Ignoring SSL \"KeyFilePassword\": Not supported by GnuTLS.");
@@ -430,24 +429,33 @@ ConnSSL_LoadServerKey_gnutls(void)
                return false;
 
        gnutls_certificate_set_dh_params(x509_cred, dh_params);
-       err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM);
-       if (err < 0) {
-               Log(LOG_ERR,
-                   "Failed to set certificate key file (cert %s, key %s): %s",
-                   cert_file,
-                   Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)",
-                   gnutls_strerror(err));
-               return false;
+
+       cert_file = Conf_SSLOptions.CertFile ?
+                       Conf_SSLOptions.CertFile : Conf_SSLOptions.KeyFile;
+       if (Conf_SSLOptions.KeyFile) {
+               err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file,
+                                                          Conf_SSLOptions.KeyFile,
+                                                          GNUTLS_X509_FMT_PEM);
+               if (err < 0) {
+                       Log(LOG_ERR,
+                           "Failed to set certificate key file (cert %s, key %s): %s",
+                           cert_file,
+                           Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)",
+                           gnutls_strerror(err));
+                       return false;
+               }
        }
 
        /* Free currently active x509 context (if any) unless it is still in use */
        slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
        if ((slot != NULL) && (slot->refcnt <= 0) && (slot->x509_cred != NULL)) {
-               Log(LOG_INFO, "Discarding X509 certificate credentials from slot %zd.", x509_cred_idx);
-               /* TODO/FIXME: DH parameters will still leak memory. */
+               LogDebug("Discarding X509 certificate credentials from slot %zd.",
+                        x509_cred_idx);
                gnutls_certificate_free_keys(slot->x509_cred);
                gnutls_certificate_free_credentials(slot->x509_cred);
                slot->x509_cred = NULL;
+               gnutls_dh_params_deinit(slot->dh_params);
+               slot->dh_params = NULL;
                slot->refcnt = 0;
        }
 
@@ -487,14 +495,12 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
        char *cert_key;
 
        assert(ctx);
-       if (!Conf_SSLOptions.KeyFile) {
-               Log(LOG_ERR, "No SSL server key configured!");
-               return false;
-       }
-
        SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
        SSL_CTX_set_default_passwd_cb_userdata(ctx, &Conf_SSLOptions.KeyFilePassword);
 
+       if (!Conf_SSLOptions.KeyFile)
+               return true;
+
        if (SSL_CTX_use_PrivateKey_file(ctx, Conf_SSLOptions.KeyFile, SSL_FILETYPE_PEM) != 1) {
                array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
                LogOpenSSLError("Failed to add private key", Conf_SSLOptions.KeyFile);
@@ -577,7 +583,7 @@ ConnSSL_Init_SSL(CONNECTION *c)
        gnutls_certificate_server_set_request(c->ssl_state.gnutls_session,
                                              GNUTLS_CERT_REQUEST);
 
-       Log(LOG_INFO, "Using X509 credentials from slot %zd", x509_cred_idx);
+       LogDebug("Using X509 credentials from slot %zd.", x509_cred_idx);
        c->ssl_state.x509_cred_idx = x509_cred_idx;
        x509_cred_slot *slot = array_get(&x509_creds, sizeof(x509_cred_slot), x509_cred_idx);
        slot->refcnt++;