X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=src%2Fngircd%2Fconn-ssl.c;h=59729e046628213937d932021591fd987c7b265b;hb=a7f37cebdc300b3b87bb8d6b558769cf11441f61;hp=fbf796c79ab3f41da09269abb1d615f06810eb64;hpb=5196e9bcb17111c43a71df2d11634b0705600b9f;p=ngircd-alex.git diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c index fbf796c7..59729e04 100644 --- a/src/ngircd/conn-ssl.c +++ b/src/ngircd/conn-ssl.c @@ -1,11 +1,15 @@ /* * ngIRCd -- The Next Generation IRC Daemon - * - * SSL wrapper functions. * Copyright (c) 2005-2008 Florian Westphal */ #include "portab.h" + +/** + * @file + * SSL wrapper functions + */ + #include "imp.h" #include "conf-ssl.h" @@ -47,10 +51,11 @@ static bool ConnSSL_LoadServerKey_openssl PARAMS(( SSL_CTX *c )); #include #include -#define DH_BITS 1024 +#define DH_BITS 2048 +#define DH_BITS_MIN 1024 + static gnutls_certificate_credentials_t x509_cred; static gnutls_dh_params_t dh_params; - static bool ConnSSL_LoadServerKey_gnutls PARAMS(( void )); #endif @@ -151,7 +156,7 @@ Load_DH_params(void) bool ret = true; if (!Conf_SSLOptions.DHFile) { - Log(LOG_NOTICE, "Configuration option \"SSLDHFile\" not set!"); + Log(LOG_NOTICE, "Configuration option \"DHFile\" not set!"); return false; } fp = fopen(Conf_SSLOptions.DHFile, "r"); @@ -196,7 +201,7 @@ Load_DH_params(void) } if (need_dhgenerate) { Log(LOG_WARNING, - "SSLDHFile not set, generating %u bit DH parameters. This may take a while ...", + "DHFile not set, generating %u bit DH parameters. This may take a while ...", DH_BITS); err = gnutls_dh_params_generate2(tmp_dh_params, DH_BITS); if (err < 0) { @@ -236,6 +241,9 @@ void ConnSSL_Free(CONNECTION *c) bool ConnSSL_InitLibrary( void ) { + if (!array_bytes(&Conf_SSLOptions.ListenPorts)) + return true; + #ifdef HAVE_LIBSSL SSL_CTX *newctx; @@ -251,12 +259,14 @@ ConnSSL_InitLibrary( void ) * According to OpenSSL RAND_egd(3): "The automatic query of /var/run/egd-pool et al was added in OpenSSL 0.9.7"; * so it makes little sense to deal with PRNGD seeding ourselves. */ + array_free(&Conf_SSLOptions.ListenPorts); return false; } newctx = SSL_CTX_new(SSLv23_method()); if (!newctx) { LogOpenSSLError("SSL_CTX_new()", NULL); + array_free(&Conf_SSLOptions.ListenPorts); return false; } @@ -271,6 +281,7 @@ ConnSSL_InitLibrary( void ) return true; out: SSL_CTX_free(newctx); + array_free(&Conf_SSLOptions.ListenPorts); return false; #endif #ifdef HAVE_LIBGNUTLS @@ -282,10 +293,13 @@ out: err = gnutls_global_init(); if (err) { Log(LOG_ERR, "gnutls_global_init(): %s", gnutls_strerror(err)); + array_free(&Conf_SSLOptions.ListenPorts); return false; } - if (!ConnSSL_LoadServerKey_gnutls()) + if (!ConnSSL_LoadServerKey_gnutls()) { + array_free(&Conf_SSLOptions.ListenPorts); return false; + } Log(LOG_INFO, "gnutls %s initialized.", gnutls_check_version(NULL)); initialized = true; return true; @@ -308,7 +322,7 @@ ConnSSL_LoadServerKey_gnutls(void) cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile; if (!cert_file) { - Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); + Log(LOG_ERR, "No SSL server key configured!"); return false; } @@ -339,7 +353,7 @@ ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx) assert(ctx); if (!Conf_SSLOptions.KeyFile) { - Log(LOG_NOTICE, "No SSL server key configured, SSL disabled."); + Log(LOG_ERR, "No SSL server key configured!"); return false; } @@ -383,9 +397,10 @@ ConnSSL_Init_SSL(CONNECTION *c) int ret; assert(c != NULL); #ifdef HAVE_LIBSSL - if (!ssl_ctx) /* NULL when library initialization failed */ + if (!ssl_ctx) { + Log(LOG_ERR, "Cannot init ssl_ctx: OpenSSL initialization failed at startup"); return false; - + } assert(c->ssl_state.ssl == NULL); c->ssl_state.ssl = SSL_new(ssl_ctx); @@ -406,6 +421,7 @@ ConnSSL_Init_SSL(CONNECTION *c) if (ret < 0) { Log(LOG_ERR, "gnutls_set_default_priority: %s", gnutls_strerror(ret)); ConnSSL_Free(c); + return false; } /* * The intermediate (long) cast is here to avoid a warning like: @@ -418,8 +434,9 @@ ConnSSL_Init_SSL(CONNECTION *c) if (ret < 0) { Log(LOG_ERR, "gnutls_credentials_set: %s", gnutls_strerror(ret)); ConnSSL_Free(c); + return false; } - gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS); + gnutls_dh_set_prime_bits(c->ssl_state.gnutls_session, DH_BITS_MIN); #endif Conn_OPTION_ADD(c, CONN_SSL); return true; @@ -541,17 +558,18 @@ ConnSSL_LogCertInfo( CONNECTION *c ) assert(ssl); - Log(LOG_INFO, "New %s connection using cipher %s on socket %d.", - SSL_get_version(ssl), SSL_get_cipher(ssl), c->sock); + Log(LOG_INFO, "Connection %d: initialized %s using cipher %s.", + c->sock, SSL_get_version(ssl), SSL_get_cipher(ssl)); #endif #ifdef HAVE_LIBGNUTLS gnutls_session_t sess = c->ssl_state.gnutls_session; gnutls_cipher_algorithm_t cipher = gnutls_cipher_get(sess); - Log(LOG_INFO, "New %s connection using cipher %s-%s on socket %d.", + Log(LOG_INFO, "Connection %d: initialized %s using cipher %s-%s.", + c->sock, gnutls_protocol_get_name(gnutls_protocol_get_version(sess)), gnutls_cipher_get_name(cipher), - gnutls_mac_get_name(gnutls_mac_get(sess)), c->sock); + gnutls_mac_get_name(gnutls_mac_get(sess))); #endif } @@ -616,6 +634,8 @@ ConnectAccept( CONNECTION *c, bool connect) #endif /* _GNUTLS */ Conn_OPTION_DEL(c, (CONN_SSL_WANT_WRITE|CONN_SSL_WANT_READ|CONN_SSL_CONNECT)); ConnSSL_LogCertInfo(c); + + Conn_StartLogin(CONNECTION2ID(c)); return 1; } @@ -703,6 +723,13 @@ ConnSSL_GetCipherInfo(CONNECTION *c, char *buf, size_t len) #endif } +#else + +bool +ConnSSL_InitLibrary(void) +{ + return true; +} #endif /* SSL_SUPPORT */ /* -eof- */