From 6f3b48e4eb7538ba2974730b1c09d752278ec93a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Janouch?= <p.janouch@gmail.com>
Date: Wed, 15 Jul 2015 23:34:36 +0200
Subject: SSL -> TLS; fix error handling

---
 kike.c | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

(limited to 'kike.c')

diff --git a/kike.c b/kike.c
index bcbc4c6..bd1dab9 100644
--- a/kike.c
+++ b/kike.c
@@ -44,11 +44,11 @@ static struct config_item g_config_table[] =
 
 	{ "bind_host",       NULL,              "Address of the IRC server"      },
 	{ "bind_port",       "6667",            "Port of the IRC server"         },
-	{ "ssl_cert",        NULL,              "Server SSL certificate (PEM)"   },
-	{ "ssl_key",         NULL,              "Server SSL private key (PEM)"   },
+	{ "ssl_cert",        NULL,              "Server TLS certificate (PEM)"   },
+	{ "ssl_key",         NULL,              "Server TLS private key (PEM)"   },
 	{ "ssl_ciphers",     DEFAULT_CIPHERS,   "OpenSSL cipher list"            },
 
-	{ "operators",       NULL,              "IRCop SSL cert. fingerprints"   },
+	{ "operators",       NULL,              "IRCop TLS cert. fingerprints"   },
 
 	{ "max_connections", "0",               "Global connection limit"        },
 	{ "ping_interval",   "180",             "Interval between PING's (sec)"  },
@@ -624,7 +624,7 @@ struct server_context
 	unsigned max_connections;           ///< Max. connections allowed or 0
 	struct str_vector motd;             ///< MOTD (none if empty)
 	nl_catd catalog;                    ///< Message catalog for server msgs
-	struct str_map operators;           ///< SSL cert. fingerprints for IRCops
+	struct str_map operators;           ///< TLS cert. fingerprints for IRCops
 };
 
 static void
@@ -1206,7 +1206,7 @@ irc_try_finish_registration (struct client *c)
 	hard_assert (c->ssl_cert_fingerprint == NULL);
 	if ((c->ssl_cert_fingerprint = client_get_ssl_cert_fingerprint (c)))
 		client_send (c, ":%s NOTICE %s :"
-			"Your SSL client certificate fingerprint is %s",
+			"Your TLS client certificate fingerprint is %s",
 			ctx->server_name, c->nickname, c->ssl_cert_fingerprint);
 
 	str_map_set (&ctx->whowas, c->nickname, NULL);
@@ -1394,7 +1394,7 @@ irc_handle_pass (const struct irc_message *msg, struct client *c)
 	else if (msg->params.len < 1)
 		irc_send_reply (c, IRC_ERR_NEEDMOREPARAMS, msg->command);
 
-	// We have SSL client certificates for this purpose; ignoring
+	// We have TLS client certificates for this purpose; ignoring
 }
 
 static void
@@ -1653,7 +1653,7 @@ irc_handle_user_mode_change (struct client *c, const char *mode_string)
 			&& str_map_find (&c->ctx->operators, c->ssl_cert_fingerprint))
 			new_mode |= IRC_USER_MODE_OPERATOR;
 		else
-			client_send (c, ":%s NOTICE %s :Either you're not using an SSL"
+			client_send (c, ":%s NOTICE %s :Either you're not using an TLS"
 				" client certificate, or the fingerprint doesn't match",
 				c->ctx->server_name, c->nickname);
 		break;
@@ -3256,26 +3256,28 @@ client_initialize_ssl (struct client *c)
 	const char *error_info = NULL;
 	if (!c->ctx->ssl_ctx)
 	{
-		error_info = "SSL support disabled";
+		error_info = "TLS support disabled";
 		goto error_ssl_1;
 	}
 
+	ERR_clear_error ();
+
 	c->ssl = SSL_new (c->ctx->ssl_ctx);
 	if (!c->ssl)
-		goto error_ssl_1;
-	if (!SSL_set_fd (c->ssl, c->socket_fd))
 		goto error_ssl_2;
+	if (!SSL_set_fd (c->ssl, c->socket_fd))
+		goto error_ssl_3;
 
 	SSL_set_accept_state (c->ssl);
 	return true;
 
-error_ssl_2:
+error_ssl_3:
 	SSL_free (c->ssl);
 	c->ssl = NULL;
+error_ssl_2:
+	error_info = ERR_reason_error_string (ERR_get_error ());
 error_ssl_1:
-	if (!error_info)
-		error_info = ERR_reason_error_string (ERR_get_error ());
-	print_debug ("could not initialize SSL for %s: %s", c->address, error_info);
+	print_debug ("could not initialize TLS for %s: %s", c->address, error_info);
 	return false;
 }
 
@@ -3480,10 +3482,12 @@ static bool
 irc_initialize_ssl_ctx (struct server_context *ctx,
 	const char *cert_path, const char *key_path, struct error **e)
 {
+	ERR_clear_error ();
+
 	ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
 	if (!ctx->ssl_ctx)
 	{
-		error_set (e, "%s: %s", "could not initialize SSL",
+		error_set (e, "%s: %s", "could not initialize TLS",
 			ERR_reason_error_string (ERR_get_error ()));
 		return false;
 	}
@@ -3510,11 +3514,11 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
 	if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
 		error_set (e, "failed to select any cipher from the cipher list");
 	else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
-		error_set (e, "%s: %s", "setting the SSL client certificate failed",
+		error_set (e, "%s: %s", "setting the TLS certificate failed",
 			ERR_reason_error_string (ERR_get_error ()));
 	else if (!SSL_CTX_use_PrivateKey_file
 		(ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM))
-		error_set (e, "%s: %s", "setting the SSL private key failed",
+		error_set (e, "%s: %s", "setting the TLS private key failed",
 			ERR_reason_error_string (ERR_get_error ()));
 	else
 		// TODO: SSL_CTX_check_private_key()?  It has probably already been
@@ -3538,9 +3542,9 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e)
 		return true;
 
 	if (!ssl_cert)
-		error_set (e, "no SSL certificate set");
+		error_set (e, "no TLS certificate set");
 	else if (!ssl_key)
-		error_set (e, "no SSL private key set");
+		error_set (e, "no TLS private key set");
 	if (!ssl_cert || !ssl_key)
 		return false;
 
-- 
cgit v1.2.3