From 44ffcfc05edf18c1669777e7b5efcf4be0388ce0 Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Mon, 13 Feb 2023 20:46:28 +0100 Subject: [PATCH 01/10] Warn user of expired cert --- src/main.c | 1 + src/proto.h | 1 + src/tls.c | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/src/main.c b/src/main.c index 9ab60c6de..4a3146f0c 100644 --- a/src/main.c +++ b/src/main.c @@ -681,6 +681,7 @@ static void core_secondly() logs[j].f = NULL; } } + verify_cert_expiry(); } } if (nowtm.tm_min == notify_users_at) diff --git a/src/proto.h b/src/proto.h index f1940773b..4c62922d9 100644 --- a/src/proto.h +++ b/src/proto.h @@ -310,6 +310,7 @@ int readtclprog(char *fname); /* tls.c */ #ifdef TLS +void verify_cert_expiry(); int ssl_handshake(int, int, int, int, char *, IntFunc); char *ssl_fpconv(char *in, char *out); const char *ssl_getuid(int sock); diff --git a/src/tls.c b/src/tls.c index 5125a3a7d..a4296ddee 100644 --- a/src/tls.c +++ b/src/tls.c @@ -109,6 +109,13 @@ static int ssl_seed(void) return 0; } +void verify_cert_expiry() { + X509 *x509; + if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && + (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) + putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile); +} + /* Prepares and initializes SSL stuff * * Creates a context object, supporting SSLv2/v3 & TLSv1 protocols; @@ -157,6 +164,7 @@ int ssl_init() tls_certfile, ERR_error_string(ERR_get_error(), NULL)); fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0); } + verify_cert_expiry(); if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) { putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s", tls_keyfile, ERR_error_string(ERR_get_error(), NULL)); From 59031d8627d3d1f7122818ac16b5c0158773113a Mon Sep 17 00:00:00 2001 From: Michael Ortmann Date: Mon, 2 Oct 2023 13:32:54 +0200 Subject: [PATCH 02/10] Fix proto --- src/proto.h | 2 +- src/tls.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/proto.h b/src/proto.h index 4c62922d9..d34882698 100644 --- a/src/proto.h +++ b/src/proto.h @@ -310,7 +310,7 @@ int readtclprog(char *fname); /* tls.c */ #ifdef TLS -void verify_cert_expiry(); +void verify_cert_expiry(void); int ssl_handshake(int, int, int, int, char *, IntFunc); char *ssl_fpconv(char *in, char *out); const char *ssl_getuid(int sock); diff --git a/src/tls.c b/src/tls.c index a4296ddee..3e6379f81 100644 --- a/src/tls.c +++ b/src/tls.c @@ -109,7 +109,7 @@ static int ssl_seed(void) return 0; } -void verify_cert_expiry() { +void verify_cert_expiry(void) { X509 *x509; if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) From c7fb9e456c4a41b8d3a7cde6b02bc8b5ee1e8e0c Mon Sep 17 00:00:00 2001 From: Michael Ortmann Date: Mon, 2 Oct 2023 17:49:38 +0200 Subject: [PATCH 03/10] print exp cert when owner logged in and daily --- src/dccutil.c | 2 ++ src/main.c | 2 +- src/proto.h | 2 +- src/tls.c | 12 ++++++++---- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/dccutil.c b/src/dccutil.c index b3a80e2cb..b7fce3acc 100644 --- a/src/dccutil.c +++ b/src/dccutil.c @@ -276,6 +276,8 @@ void dcc_chatter(int idx) dcc[idx].u.chat->channel = 234567; j = dcc[idx].sock; strcpy(dcc[idx].u.chat->con_chan, "***"); + if (is_owner(dcc[idx].user)) + verify_cert_expiry(idx); check_tcl_chon(dcc[idx].nick, dcc[idx].sock); /* Still there? */ if ((idx >= dcc_total) || (dcc[idx].sock != j)) diff --git a/src/main.c b/src/main.c index a9f3df2c3..f18c09123 100644 --- a/src/main.c +++ b/src/main.c @@ -680,7 +680,6 @@ static void core_secondly() logs[j].f = NULL; } } - verify_cert_expiry(); } } if (nowtm.tm_min == notify_users_at) @@ -706,6 +705,7 @@ static void core_secondly() movefile(logs[i].filename, s); } } + verify_cert_expiry(0); } } } diff --git a/src/proto.h b/src/proto.h index 79327e7d6..ce8f282d8 100644 --- a/src/proto.h +++ b/src/proto.h @@ -310,7 +310,7 @@ int readtclprog(char *fname); /* tls.c */ #ifdef TLS -void verify_cert_expiry(void); +void verify_cert_expiry(int); int ssl_handshake(int, int, int, int, char *, IntFunc); char *ssl_fpconv(char *in, char *out); const char *ssl_getuid(int sock); diff --git a/src/tls.c b/src/tls.c index 001da9dd7..6e40e3774 100644 --- a/src/tls.c +++ b/src/tls.c @@ -109,11 +109,15 @@ static int ssl_seed(void) return 0; } -void verify_cert_expiry(void) { +void verify_cert_expiry(int idx) { X509 *x509; if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && - (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) - putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile); + (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) { + if (idx) + dprintf(idx,"WARNING: certificate expired: %s\n", tls_certfile); + else + putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile); + } } /* Prepares and initializes SSL stuff @@ -164,7 +168,7 @@ int ssl_init() tls_certfile, ERR_error_string(ERR_get_error(), NULL)); fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0); } - verify_cert_expiry(); + verify_cert_expiry(0); if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) { putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s", tls_keyfile, ERR_error_string(ERR_get_error(), NULL)); From fbd827652873e8fba06c751a69c82d7c6de07e2a Mon Sep 17 00:00:00 2001 From: Michael Ortmann Date: Mon, 2 Oct 2023 17:57:39 +0200 Subject: [PATCH 04/10] Fix whitespace --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 6e40e3774..6dc3de505 100644 --- a/src/tls.c +++ b/src/tls.c @@ -114,7 +114,7 @@ void verify_cert_expiry(int idx) { if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) { if (idx) - dprintf(idx,"WARNING: certificate expired: %s\n", tls_certfile); + dprintf(idx, "WARNING: certificate expired: %s\n", tls_certfile); else putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile); } From 43d2548371452333043ffea7aad539964f7805c2 Mon Sep 17 00:00:00 2001 From: Geo Date: Mon, 8 Jul 2024 22:42:35 -0400 Subject: [PATCH 05/10] Update warning message --- src/tls.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/tls.c b/src/tls.c index 6dc3de505..86a5748c2 100644 --- a/src/tls.c +++ b/src/tls.c @@ -113,10 +113,13 @@ void verify_cert_expiry(int idx) { X509 *x509; if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) { - if (idx) - dprintf(idx, "WARNING: certificate expired: %s\n", tls_certfile); - else - putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile); + if (idx) { + dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); + dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n"); + } else { + putlog(LOG_MISC, "*", "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); + putlog(LOG_MISC, "*", "You can generate new certificates by running 'make sslcert' from the source directory\n"); + } } } From 7b0201941e057ed14c4b97cdd24d5edc5f7544e8 Mon Sep 17 00:00:00 2001 From: Geo Date: Mon, 8 Jul 2024 22:48:53 -0400 Subject: [PATCH 06/10] Update warning message spacing --- src/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tls.c b/src/tls.c index 86a5748c2..8542ad25e 100644 --- a/src/tls.c +++ b/src/tls.c @@ -115,9 +115,9 @@ void verify_cert_expiry(int idx) { (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) { if (idx) { dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); - dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n"); + dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n\n"); } else { - putlog(LOG_MISC, "*", "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); + putlog(LOG_MISC, "*", "\nWARNING: SSL/TLS certificate %s expired", tls_certfile); putlog(LOG_MISC, "*", "You can generate new certificates by running 'make sslcert' from the source directory\n"); } } From 11897a9c9e76d20acda111fdcce61b0f04970f58 Mon Sep 17 00:00:00 2001 From: Geo Date: Mon, 8 Jul 2024 23:01:25 -0400 Subject: [PATCH 07/10] ifdef tls calls --- src/dccutil.c | 2 ++ src/main.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/dccutil.c b/src/dccutil.c index b7fce3acc..58b4db0ee 100644 --- a/src/dccutil.c +++ b/src/dccutil.c @@ -276,8 +276,10 @@ void dcc_chatter(int idx) dcc[idx].u.chat->channel = 234567; j = dcc[idx].sock; strcpy(dcc[idx].u.chat->con_chan, "***"); +#ifdef TLS if (is_owner(dcc[idx].user)) verify_cert_expiry(idx); +#endif check_tcl_chon(dcc[idx].nick, dcc[idx].sock); /* Still there? */ if ((idx >= dcc_total) || (dcc[idx].sock != j)) diff --git a/src/main.c b/src/main.c index f18c09123..414b7269d 100644 --- a/src/main.c +++ b/src/main.c @@ -705,7 +705,9 @@ static void core_secondly() movefile(logs[i].filename, s); } } +#ifdef TLS verify_cert_expiry(0); +#endif } } } From 3a3dc51440e310be3ac99b0bd9d31ae991e34a8d Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Tue, 9 Jul 2024 19:50:42 +0200 Subject: [PATCH 08/10] Use X509_cmp_current_time() --- src/tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index c20ef09ac..7a685272f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -111,8 +111,9 @@ static int ssl_seed(void) void verify_cert_expiry(int idx) { X509 *x509; + if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && - (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) { + (X509_cmp_current_time(X509_get_notAfter(x509)) < 0)) { if (idx) { dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n\n"); From d2172948c836df4593756ad22d008dee552cdfca Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Tue, 9 Jul 2024 20:17:24 +0200 Subject: [PATCH 09/10] Add compatibility with openssl 0.9.8+ --- src/tls.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/src/tls.c b/src/tls.c index 7a685272f..7492edc6a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -112,15 +112,28 @@ static int ssl_seed(void) void verify_cert_expiry(int idx) { X509 *x509; - if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) && - (X509_cmp_current_time(X509_get_notAfter(x509)) < 0)) { - if (idx) { - dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); - dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n\n"); - } else { - putlog(LOG_MISC, "*", "\nWARNING: SSL/TLS certificate %s expired", tls_certfile); - putlog(LOG_MISC, "*", "You can generate new certificates by running 'make sslcert' from the source directory\n"); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* 1.0.2 */ + x509 = SSL_CTX_get0_certificate(ssl_ctx); +#else + BIO *bio = BIO_new_file(tls_certfile, "r"); + if (!bio) + return; + x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); +#endif + if (x509) { + if (X509_cmp_current_time(X509_get_notAfter(x509)) < 0) { + if (idx) { + dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile); + dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n\n"); + } else { + putlog(LOG_MISC, "*", "\nWARNING: SSL/TLS certificate %s expired", tls_certfile); + putlog(LOG_MISC, "*", "You can generate new certificates by running 'make sslcert' from the source directory\n"); + } } +#if OPENSSL_VERSION_NUMBER < 0x10002000L /* 1.0.2 */ + X509_free(x509); + BIO_free(bio); +#endif } } From 2f28d565fc84919a67ac3ebd28ce4a5de79b99da Mon Sep 17 00:00:00 2001 From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com> Date: Tue, 9 Jul 2024 22:32:12 +0200 Subject: [PATCH 10/10] Enhance openssl function / library / version check / message --- aclocal.m4 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/aclocal.m4 b/aclocal.m4 index 748fb2969..7ec45b670 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1595,11 +1595,11 @@ AC_DEFUN([EGG_TLS_DETECT], if test -z "$SSL_LIBS"; then AC_CHECK_LIB(crypto, X509_digest, , [havessllib="no"], [-lssl]) AC_CHECK_LIB(ssl, SSL_accept, , [havessllib="no"], [-lcrypto]) - AC_CHECK_FUNCS([EVP_sha1 a2i_IPADDRESS], , [[ - havessllib="no" - break - ]]) fi + AC_CHECK_FUNCS([EVP_sha1 a2i_IPADDRESS], , [[ + havessllib="no" + break + ]]) AC_CHECK_FUNCS([EVP_md5]) AC_CHECK_FUNC(OPENSSL_buf2hexstr, , AC_CHECK_FUNC(hex_to_string, @@ -1622,7 +1622,7 @@ AC_DEFUN([EGG_TLS_DETECT], AC_MSG_WARN([Please specify the path to the openssl include dir using --with-sslinc=path]) fi if test "$havessllib" = "no"; then - AC_MSG_WARN([Cannot find OpenSSL libraries.]) + AC_MSG_WARN([Cannot find OpenSSL library 0.9.8 or newer.]) AC_MSG_WARN([Please specify the path to libssl and libcrypto using --with-ssllib=path]) fi AC_MSG_CHECKING([for OpenSSL])