More SSL -> TLS renaming

This commit is contained in:
Přemysl Eric Janouch 2015-07-28 20:31:42 +02:00
parent a912b3f28c
commit 637a3d2bf7
3 changed files with 56 additions and 56 deletions

View File

@ -1552,24 +1552,24 @@ static struct config_schema g_config_server[] =
.type = CONFIG_ITEM_STRING, .type = CONFIG_ITEM_STRING,
.validate = config_validate_nonjunk_string }, .validate = config_validate_nonjunk_string },
{ .name = "ssl", { .name = "tls",
.comment = "Whether to use TLS", .comment = "Whether to use TLS",
.type = CONFIG_ITEM_BOOLEAN, .type = CONFIG_ITEM_BOOLEAN,
.default_ = "off" }, .default_ = "off" },
{ .name = "ssl_cert", { .name = "tls_cert",
.comment = "Client TLS certificate (PEM)", .comment = "Client TLS certificate (PEM)",
.type = CONFIG_ITEM_STRING }, .type = CONFIG_ITEM_STRING },
{ .name = "ssl_verify", { .name = "tls_verify",
.comment = "Whether to verify certificates", .comment = "Whether to verify certificates",
.type = CONFIG_ITEM_BOOLEAN, .type = CONFIG_ITEM_BOOLEAN,
.default_ = "on" }, .default_ = "on" },
{ .name = "ssl_ca_file", { .name = "tls_ca_file",
.comment = "OpenSSL CA bundle file", .comment = "OpenSSL CA bundle file",
.type = CONFIG_ITEM_STRING }, .type = CONFIG_ITEM_STRING },
{ .name = "ssl_ca_path", { .name = "tls_ca_path",
.comment = "OpenSSL CA bundle path", .comment = "OpenSSL CA bundle path",
.type = CONFIG_ITEM_STRING }, .type = CONFIG_ITEM_STRING },
{ .name = "ssl_ciphers", { .name = "tls_ciphers",
.comment = "OpenSSL cipher preference list", .comment = "OpenSSL cipher preference list",
.type = CONFIG_ITEM_STRING, .type = CONFIG_ITEM_STRING,
.default_ = "\"DEFAULT:!MEDIUM:!LOW\"" }, .default_ = "\"DEFAULT:!MEDIUM:!LOW\"" },
@ -4039,7 +4039,7 @@ transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
static bool static bool
transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
{ {
bool verify = get_config_boolean (s->config, "ssl_verify"); bool verify = get_config_boolean (s->config, "tls_verify");
SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
transport_tls_verify_callback); transport_tls_verify_callback);
@ -4048,7 +4048,7 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL); SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s); SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);
const char *ciphers = get_config_string (s->config, "ssl_ciphers"); const char *ciphers = get_config_string (s->config, "tls_ciphers");
if (ciphers && !SSL_CTX_set_cipher_list (ssl_ctx, ciphers)) if (ciphers && !SSL_CTX_set_cipher_list (ssl_ctx, ciphers))
log_server_error (s, s->buffer, log_server_error (s, s->buffer,
"Failed to select any cipher from the cipher list"); "Failed to select any cipher from the cipher list");
@ -4058,8 +4058,8 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
// Disable deprecated protocols (see RFC 7568) // Disable deprecated protocols (see RFC 7568)
SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
const char *ca_file = get_config_string (s->config, "ssl_ca_file"); const char *ca_file = get_config_string (s->config, "tls_ca_file");
const char *ca_path = get_config_string (s->config, "ssl_ca_path"); const char *ca_path = get_config_string (s->config, "tls_ca_path");
ERR_clear_error (); ERR_clear_error ();
@ -4100,20 +4100,20 @@ ca_error:
static bool static bool
transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e) transport_tls_init_cert (struct server *s, SSL *ssl, struct error **e)
{ {
const char *ssl_cert = get_config_string (s->config, "ssl_cert"); const char *tls_cert = get_config_string (s->config, "tls_cert");
if (!ssl_cert) if (!tls_cert)
return true; return true;
ERR_clear_error (); ERR_clear_error ();
bool result = false; bool result = false;
char *path = resolve_filename (ssl_cert, resolve_relative_config_filename); char *path = resolve_filename (tls_cert, resolve_relative_config_filename);
if (!path) if (!path)
error_set (e, "%s: %s", "Cannot open file", ssl_cert); error_set (e, "%s: %s", "Cannot open file", tls_cert);
// XXX: perhaps we should read the file ourselves for better messages // XXX: perhaps we should read the file ourselves for better messages
else if (!SSL_use_certificate_file (ssl, path, SSL_FILETYPE_PEM) else if (!SSL_use_certificate_file (ssl, path, SSL_FILETYPE_PEM)
|| !SSL_use_PrivateKey_file (ssl, path, SSL_FILETYPE_PEM)) || !SSL_use_PrivateKey_file (ssl, path, SSL_FILETYPE_PEM))
error_set (e, "%s: %s", "Setting the SSL client certificate failed", error_set (e, "%s: %s", "Setting the TLS client certificate failed",
ERR_reason_error_string (ERR_get_error ())); ERR_reason_error_string (ERR_get_error ()));
else else
result = true; result = true;
@ -4384,7 +4384,7 @@ irc_finish_connection (struct server *s, int socket)
set_blocking (socket, false); set_blocking (socket, false);
s->socket = socket; s->socket = socket;
s->transport = get_config_boolean (s->config, "ssl") s->transport = get_config_boolean (s->config, "tls")
? &g_transport_tls ? &g_transport_tls
: &g_transport_plain; : &g_transport_plain;

44
kike.c
View File

@ -44,9 +44,9 @@ static struct config_item g_config_table[] =
{ "bind_host", NULL, "Address of the IRC server" }, { "bind_host", NULL, "Address of the IRC server" },
{ "bind_port", "6667", "Port of the IRC server" }, { "bind_port", "6667", "Port of the IRC server" },
{ "ssl_cert", NULL, "Server TLS certificate (PEM)" }, { "tls_cert", NULL, "Server TLS certificate (PEM)" },
{ "ssl_key", NULL, "Server TLS private key (PEM)" }, { "tls_key", NULL, "Server TLS private key (PEM)" },
{ "ssl_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" }, { "tls_ciphers", DEFAULT_CIPHERS, "OpenSSL cipher list" },
{ "operators", NULL, "IRCop TLS cert. fingerprints" }, { "operators", NULL, "IRCop TLS cert. fingerprints" },
@ -3106,7 +3106,7 @@ irc_try_read (struct client *c)
} }
static bool static bool
irc_try_read_ssl (struct client *c) irc_try_read_tls (struct client *c)
{ {
if (c->ssl_tx_want_rx) if (c->ssl_tx_want_rx)
return true; return true;
@ -3174,7 +3174,7 @@ irc_try_write (struct client *c)
} }
static bool static bool
irc_try_write_ssl (struct client *c) irc_try_write_tls (struct client *c)
{ {
if (c->ssl_rx_want_tx) if (c->ssl_rx_want_tx)
return true; return true;
@ -3212,7 +3212,7 @@ irc_try_write_ssl (struct client *c)
} }
static bool static bool
irc_autodetect_ssl (struct client *c) irc_autodetect_tls (struct client *c)
{ {
// Trivial SSL/TLS autodetection. The first block of data returned by // Trivial SSL/TLS autodetection. The first block of data returned by
// recv() must be at least three bytes long for this to work reliably, // recv() must be at least three bytes long for this to work reliably,
@ -3251,7 +3251,7 @@ start:
} }
static bool static bool
client_initialize_ssl (struct client *c) client_initialize_tls (struct client *c)
{ {
const char *error_info = NULL; const char *error_info = NULL;
if (!c->ctx->ssl_ctx) if (!c->ctx->ssl_ctx)
@ -3288,7 +3288,7 @@ on_client_ready (const struct pollfd *pfd, void *user_data)
if (!c->initialized) if (!c->initialized)
{ {
hard_assert (pfd->events == POLLIN); hard_assert (pfd->events == POLLIN);
if (irc_autodetect_ssl (c) && !client_initialize_ssl (c)) if (irc_autodetect_tls (c) && !client_initialize_tls (c))
{ {
client_kill (c, NULL); client_kill (c, NULL);
return; return;
@ -3301,7 +3301,7 @@ on_client_ready (const struct pollfd *pfd, void *user_data)
{ {
// Reads may want to write, writes may want to read, poll() may // Reads may want to write, writes may want to read, poll() may
// return unexpected things in `revents'... let's try both // return unexpected things in `revents'... let's try both
if (!irc_try_read_ssl (c) || !irc_try_write_ssl (c)) if (!irc_try_read_tls (c) || !irc_try_write_tls (c))
return; return;
} }
else if (!irc_try_read (c) || !irc_try_write (c)) else if (!irc_try_read (c) || !irc_try_write (c))
@ -3510,7 +3510,7 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
// XXX: perhaps we should read the files ourselves for better messages // XXX: perhaps we should read the files ourselves for better messages
const char *ciphers = str_map_find (&ctx->config, "ssl_ciphers"); const char *ciphers = str_map_find (&ctx->config, "tls_ciphers");
if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers)) if (!SSL_CTX_set_cipher_list (ctx->ssl_ctx, ciphers))
error_set (e, "failed to select any cipher from the cipher list"); error_set (e, "failed to select any cipher from the cipher list");
else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path)) else if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
@ -3531,33 +3531,33 @@ irc_initialize_ssl_ctx (struct server_context *ctx,
} }
static bool static bool
irc_initialize_ssl (struct server_context *ctx, struct error **e) irc_initialize_tls (struct server_context *ctx, struct error **e)
{ {
const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert"); const char *tls_cert = str_map_find (&ctx->config, "tls_cert");
const char *ssl_key = str_map_find (&ctx->config, "ssl_key"); const char *tls_key = str_map_find (&ctx->config, "tls_key");
// Only try to enable SSL support if the user configures it; it is not // Only try to enable SSL support if the user configures it; it is not
// a failure if no one has requested it. // a failure if no one has requested it.
if (!ssl_cert && !ssl_key) if (!tls_cert && !tls_key)
return true; return true;
if (!ssl_cert) if (!tls_cert)
error_set (e, "no TLS certificate set"); error_set (e, "no TLS certificate set");
else if (!ssl_key) else if (!tls_key)
error_set (e, "no TLS private key set"); error_set (e, "no TLS private key set");
if (!ssl_cert || !ssl_key) if (!tls_cert || !tls_key)
return false; return false;
bool result = false; bool result = false;
char *cert_path = resolve_filename char *cert_path = resolve_filename
(ssl_cert, resolve_relative_config_filename); (tls_cert, resolve_relative_config_filename);
char *key_path = resolve_filename char *key_path = resolve_filename
(ssl_key, resolve_relative_config_filename); (tls_key, resolve_relative_config_filename);
if (!cert_path) if (!cert_path)
error_set (e, "%s: %s", "cannot open file", ssl_cert); error_set (e, "%s: %s", "cannot open file", tls_cert);
else if (!key_path) else if (!key_path)
error_set (e, "%s: %s", "cannot open file", ssl_key); error_set (e, "%s: %s", "cannot open file", tls_key);
else else
result = irc_initialize_ssl_ctx (ctx, cert_path, key_path, e); result = irc_initialize_ssl_ctx (ctx, cert_path, key_path, e);
@ -4019,7 +4019,7 @@ main (int argc, char *argv[])
ctx.signal_event.user_data = &ctx; ctx.signal_event.user_data = &ctx;
poller_fd_set (&ctx.signal_event, POLLIN); poller_fd_set (&ctx.signal_event, POLLIN);
if (!irc_initialize_ssl (&ctx, &e) if (!irc_initialize_tls (&ctx, &e)
|| !irc_initialize_server_name (&ctx, &e) || !irc_initialize_server_name (&ctx, &e)
|| !irc_initialize_motd (&ctx, &e) || !irc_initialize_motd (&ctx, &e)
|| !irc_initialize_catalog (&ctx, &e) || !irc_initialize_catalog (&ctx, &e)

View File

@ -32,11 +32,11 @@ static struct config_item g_config_table[] =
{ "irc_host", NULL, "Address of the IRC server" }, { "irc_host", NULL, "Address of the IRC server" },
{ "irc_port", "6667", "Port of the IRC server" }, { "irc_port", "6667", "Port of the IRC server" },
{ "ssl", "off", "Whether to use SSL" }, { "tls", "off", "Whether to use TLS" },
{ "ssl_cert", NULL, "Client SSL certificate (PEM)" }, { "tls_cert", NULL, "Client TLS certificate (PEM)" },
{ "ssl_verify", "on", "Whether to verify certificates" }, { "tls_verify", "on", "Whether to verify certificates" },
{ "ssl_ca_file", NULL, "OpenSSL CA bundle file" }, { "tls_ca_file", NULL, "OpenSSL CA bundle file" },
{ "ssl_ca_path", NULL, "OpenSSL CA bundle path" }, { "tls_ca_path", NULL, "OpenSSL CA bundle path" },
{ "autojoin", NULL, "Channels to join on start" }, { "autojoin", NULL, "Channels to join on start" },
{ "reconnect", "on", "Whether to reconnect on error" }, { "reconnect", "on", "Whether to reconnect on error" },
{ "reconnect_delay", "5", "Time between reconnecting" }, { "reconnect_delay", "5", "Time between reconnecting" },
@ -320,7 +320,7 @@ irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); SSL_CTX_set_options (ctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
bool verify; bool verify;
if (!irc_get_boolean_from_config (ctx, "ssl_verify", &verify, e)) if (!irc_get_boolean_from_config (ctx, "tls_verify", &verify, e))
return false; return false;
SSL_CTX_set_verify (ctx->ssl_ctx, SSL_CTX_set_verify (ctx->ssl_ctx,
verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
@ -363,7 +363,7 @@ ca_error:
} }
static bool static bool
irc_initialize_ssl (struct bot_context *ctx, struct error **e) irc_initialize_tls (struct bot_context *ctx, struct error **e)
{ {
const char *error_info = NULL; const char *error_info = NULL;
ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ()); ctx->ssl_ctx = SSL_CTX_new (SSLv23_client_method ());
@ -376,17 +376,17 @@ irc_initialize_ssl (struct bot_context *ctx, struct error **e)
if (!ctx->ssl) if (!ctx->ssl)
goto error_ssl_2; goto error_ssl_2;
const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert"); const char *tls_cert = str_map_find (&ctx->config, "tls_cert");
if (ssl_cert) if (tls_cert)
{ {
char *path = resolve_filename char *path = resolve_filename
(ssl_cert, resolve_relative_config_filename); (tls_cert, resolve_relative_config_filename);
if (!path) if (!path)
print_error ("%s: %s", "cannot open file", ssl_cert); print_error ("%s: %s", "cannot open file", tls_cert);
// XXX: perhaps we should read the file ourselves for better messages // XXX: perhaps we should read the file ourselves for better messages
else if (!SSL_use_certificate_file (ctx->ssl, path, SSL_FILETYPE_PEM) else if (!SSL_use_certificate_file (ctx->ssl, path, SSL_FILETYPE_PEM)
|| !SSL_use_PrivateKey_file (ctx->ssl, path, SSL_FILETYPE_PEM)) || !SSL_use_PrivateKey_file (ctx->ssl, path, SSL_FILETYPE_PEM))
print_error ("%s: %s", "setting the SSL client certificate failed", print_error ("%s: %s", "setting the TLS client certificate failed",
ERR_error_string (ERR_get_error (), NULL)); ERR_error_string (ERR_get_error (), NULL));
free (path); free (path);
} }
@ -418,7 +418,7 @@ error_ssl_1:
// multiple errors on the OpenSSL stack. // multiple errors on the OpenSSL stack.
if (!error_info) if (!error_info)
error_info = ERR_error_string (ERR_get_error (), NULL); error_info = ERR_error_string (ERR_get_error (), NULL);
error_set (e, "%s: %s", "could not initialize SSL", error_info); error_set (e, "%s: %s", "could not initialize TLS", error_info);
return false; return false;
} }
@ -1444,7 +1444,7 @@ enum irc_read_result
}; };
static enum irc_read_result static enum irc_read_result
irc_fill_read_buffer_ssl (struct bot_context *ctx, struct str *buf) irc_fill_read_buffer_tls (struct bot_context *ctx, struct str *buf)
{ {
int n_read; int n_read;
start: start:
@ -1608,7 +1608,7 @@ on_irc_readable (const struct pollfd *fd, struct bot_context *ctx)
struct str *buf = &ctx->read_buffer; struct str *buf = &ctx->read_buffer;
enum irc_read_result (*fill_buffer)(struct bot_context *, struct str *) enum irc_read_result (*fill_buffer)(struct bot_context *, struct str *)
= ctx->ssl = ctx->ssl
? irc_fill_read_buffer_ssl ? irc_fill_read_buffer_tls
: irc_fill_read_buffer; : irc_fill_read_buffer;
bool disconnected = false; bool disconnected = false;
while (true) while (true)
@ -1754,8 +1754,8 @@ irc_connect (struct bot_context *ctx, struct error **e)
return false; return false;
} }
bool use_ssl; bool use_tls;
if (!irc_get_boolean_from_config (ctx, "ssl", &use_ssl, e)) if (!irc_get_boolean_from_config (ctx, "tls", &use_tls, e))
return false; return false;
bool connected = socks_host bool connected = socks_host
@ -1765,7 +1765,7 @@ irc_connect (struct bot_context *ctx, struct error **e)
if (!connected) if (!connected)
return false; return false;
if (use_ssl && !irc_initialize_ssl (ctx, e)) if (use_tls && !irc_initialize_tls (ctx, e))
{ {
xclose (ctx->irc_fd); xclose (ctx->irc_fd);
ctx->irc_fd = -1; ctx->irc_fd = -1;