diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-15 23:34:36 +0200 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2015-07-15 23:34:36 +0200 |
commit | 6f3b48e4eb7538ba2974730b1c09d752278ec93a (patch) | |
tree | 9de1d6d7e06f2be51cc83e05fe6b6c0a0a038483 /kike.c | |
parent | c8496a83d88998ede42f04ce16b1daf6c7d39477 (diff) | |
download | xK-6f3b48e4eb7538ba2974730b1c09d752278ec93a.tar.gz xK-6f3b48e4eb7538ba2974730b1c09d752278ec93a.tar.xz xK-6f3b48e4eb7538ba2974730b1c09d752278ec93a.zip |
SSL -> TLS; fix error handling
Diffstat (limited to 'kike.c')
-rw-r--r-- | kike.c | 42 |
1 files changed, 23 insertions, 19 deletions
@@ -44,11 +44,11 @@ static struct config_item g_config_table[] = { "bind_host", NULL, "Address of the IRC server" }, { "bind_port", "6667", "Port of the IRC server" }, - { "ssl_cert", NULL, "Server SSL certificate (PEM)" }, - { "ssl_key", NULL, "Server SSL private key (PEM)" }, + { "ssl_cert", NULL, "Server TLS certificate (PEM)" }, + { "ssl_key", NULL, "Server TLS private key (PEM)" }, { "ssl_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" }, - { "operators", NULL, "IRCop SSL cert. fingerprints" }, + { "operators", NULL, "IRCop TLS cert. fingerprints" }, { "max_connections", "0", "Global connection limit" }, { "ping_interval", "180", "Interval between PING's (sec)" }, @@ -624,7 +624,7 @@ struct server_context unsigned max_connections; ///< Max. connections allowed or 0 struct str_vector motd; ///< MOTD (none if empty) nl_catd catalog; ///< Message catalog for server msgs - struct str_map operators; ///< SSL cert. fingerprints for IRCops + struct str_map operators; ///< TLS cert. fingerprints for IRCops }; static void @@ -1206,7 +1206,7 @@ irc_try_finish_registration (struct client *c) hard_assert (c->ssl_cert_fingerprint == NULL); if ((c->ssl_cert_fingerprint = client_get_ssl_cert_fingerprint (c))) client_send (c, ":%s NOTICE %s :" - "Your SSL client certificate fingerprint is %s", + "Your TLS client certificate fingerprint is %s", ctx->server_name, c->nickname, c->ssl_cert_fingerprint); str_map_set (&ctx->whowas, c->nickname, NULL); @@ -1394,7 +1394,7 @@ irc_handle_pass (const struct irc_message *msg, struct client *c) else if (msg->params.len < 1) irc_send_reply (c, IRC_ERR_NEEDMOREPARAMS, msg->command); - // We have SSL client certificates for this purpose; ignoring + // We have TLS client certificates for this purpose; ignoring } static void @@ -1653,7 +1653,7 @@ irc_handle_user_mode_change (struct client *c, const char *mode_string) && str_map_find (&c->ctx->operators, c->ssl_cert_fingerprint)) new_mode |= IRC_USER_MODE_OPERATOR; else - client_send (c, ":%s NOTICE %s :Either you're not using an SSL" + client_send (c, ":%s NOTICE %s :Either you're not using an TLS" " client certificate, or the fingerprint doesn't match", c->ctx->server_name, c->nickname); break; @@ -3256,26 +3256,28 @@ client_initialize_ssl (struct client *c) const char *error_info = NULL; if (!c->ctx->ssl_ctx) { - error_info = "SSL support disabled"; + error_info = "TLS support disabled"; goto error_ssl_1; } + ERR_clear_error (); + c->ssl = SSL_new (c->ctx->ssl_ctx); if (!c->ssl) - goto error_ssl_1; - if (!SSL_set_fd (c->ssl, c->socket_fd)) goto error_ssl_2; + if (!SSL_set_fd (c->ssl, c->socket_fd)) + goto error_ssl_3; SSL_set_accept_state (c->ssl); return true; -error_ssl_2: +error_ssl_3: SSL_free (c->ssl); c->ssl = NULL; +error_ssl_2: + error_info = ERR_reason_error_string (ERR_get_error ()); error_ssl_1: - if (!error_info) - error_info = ERR_reason_error_string (ERR_get_error ()); - print_debug ("could not initialize SSL for %s: %s", c->address, error_info); + print_debug ("could not initialize TLS for %s: %s", c->address, error_info); return false; } @@ -3480,10 +3482,12 @@ static bool irc_initialize_ssl_ctx (struct server_context *ctx, const char *cert_path, const char *key_path, struct error **e) { + ERR_clear_error (); + ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ()); if (!ctx->ssl_ctx) { - error_set (e, "%s: %s", "could not initialize SSL", + error_set (e, "%s: %s", "could not initialize TLS", ERR_reason_error_string (ERR_get_error ())); return false; } @@ -3510,11 +3514,11 @@ irc_initialize_ssl_ctx (struct server_context *ctx, if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers)) error_set (e, "failed to select any cipher from the cipher list"); else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path)) - error_set (e, "%s: %s", "setting the SSL client certificate failed", + error_set (e, "%s: %s", "setting the TLS certificate failed", ERR_reason_error_string (ERR_get_error ())); else if (!SSL_CTX_use_PrivateKey_file (ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM)) - error_set (e, "%s: %s", "setting the SSL private key failed", + error_set (e, "%s: %s", "setting the TLS private key failed", ERR_reason_error_string (ERR_get_error ())); else // TODO: SSL_CTX_check_private_key()? It has probably already been @@ -3538,9 +3542,9 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e) return true; if (!ssl_cert) - error_set (e, "no SSL certificate set"); + error_set (e, "no TLS certificate set"); else if (!ssl_key) - error_set (e, "no SSL private key set"); + error_set (e, "no TLS private key set"); if (!ssl_cert || !ssl_key) return false; |