Commit graph

47 commits

Author SHA1 Message Date
ManiacTwister
074e23e4e2 Added SNI support (OpenSSL) 2018-11-21 20:03:48 +01:00
Simon Arlott
ae6ce6100a
ssld: avoid clang static analysis warning
Don't set `x = 0` twice.

Edit by @aaronmdjones: fix for loop initialisation and inner condition
2017-08-04 12:32:58 +00:00
Simon Arlott
a21843a0a0
ssld: avoid clang static analysis warning 2017-08-04 12:32:58 +00:00
Aaron Jones
82e920102f
lots of misc cleanups for compiler warnings
ratbox_lib.c:159:1: warning: function 'rb_lib_restart' could be declared
                    with attribute 'noreturn' [-Wmissing-noreturn]

ratbox_lib.c:220:1: warning: function 'rb_lib_loop' could be declared
                    with attribute 'noreturn' [-Wmissing-noreturn]

restart.c:55:1: warning: function 'server_reboot' could be declared with
                attribute 'noreturn' [-Wmissing-noreturn]
2017-08-04 12:32:57 +00:00
Aaron Jones
9519919ff5
ssld/ssld.c: misc cleanup for compiler warning
ssld.c:1251:14: warning: signed shift result (0x80000000) sets the sign
                bit of the shift expression's type ('int') and becomes
                negative [-Wshift-sign-overflow]
2017-08-04 12:32:56 +00:00
Aaron Jones
2afd965b21
TLS: Partially backport the SubjectPublicKeyInfo digesting functionality
This backports the code responsible for SPKI digests from release/4.

It also adjusts doc/reference.conf to note that SPKI digests are now
supported, and how to generate them. It does NOT backport the mkfingerprint
program -- the instructions in reference.conf are sufficient. I am ofcourse
open to anyone else backporting the program, but I don't see the need.
2016-11-15 12:30:09 +00:00
William Pitcock
bc2eeb0992
Do not shadow OpenSSL-internal symbol "ssl_ok".
This is a backport of commit bfc44622
2016-06-01 16:32:26 +00:00
Aaron Jones
b8cf4b3bf2
[sslproc] Various fixes
* Properly allow no DH parameters (some backends come with defaults)
* If no private key is given, assume it's in the certificate file
* Use correct length calculation in buffer for TLS options
* Fix compiler warnings regarding uint64_t stats counters
2016-05-03 23:19:06 +00:00
Aaron Jones
1ea72c8f86
[ssld] Fix possible crash when DH parameters are not provided
This has ssld calling strlen() on a NULL value

[ci skip]
2016-05-03 17:48:04 +00:00
Aaron Jones
5c8da48264
Backport more TLS backend and ssld fixes & improvements from 3.6
openssl:
 * Don't manually initialise libssl 1.1.0 -- it does this automatically
 * SSL_library_init() should be called first otherwise
 * Move SSL_CTX construction to rb_setup_ssl_server()
 * Test for all required files (certificate & key) before doing anything
 * Free the old CTX before constructing a new one (Fixes #186)
 * Properly abort rb_setup_ssl_server() on CTX construction failures
 * Support ECDHE on more than one curve on OpenSSL 1.0.2 and above
 * Clean up ifdef indentation
 * Fix DH parameters memory leak

mbedtls:
 * Fix certificate fingerprint generation
 * Fix library linking order
 * Fix incorrect printf()-esque argument count
 * Return digest length for fingerprints instead of 1, consistent
   with the other backends

sslproc / ssld:
 * Fingerprint methods have no assocated file descriptors
 * Send TLS information (cipher, fingerprint) before data
 * Use correct header length for fingerprint method

Authored-by: Aaron Jones <aaronmdjones@gmail.com>
Authored-by: William Pitcock <nenolod@dereferenced.org>
Authored-by: Simon Arlott <sa.me.uk>
2016-04-30 21:39:05 +00:00
William Pitcock
d5ff7a9c3c ssld: do not shadow openssl-internal symbol "ssl_ok" (yeah, i know) 2016-04-02 17:12:28 -05:00
William Pitcock
1533b40304 ssld: we use uint8_t for IPC buffers, not char 2016-04-02 17:11:21 -05:00
Simon Arlott
b7cca0143d ssld: change_connid may be called with an unknown ID
If change_connid is called with an unknown ID, conn will be
NULL, check this with an assert and then respond by reporting
the new ID as closed instead of dereferencing a NULL pointer.
2016-04-02 17:11:08 -05:00
Valerii Iatsko
b1f028e5d4 ssld: fix memleak
same as r29199 ircd-ratbox:
free zlib_stream_t with the rest of the conn_t
2016-04-02 17:10:42 -05:00
William Pitcock
a5ddb7df2e ssld: check conn->plain_fd when setting conn->plain_fd type to RB_FD_SOCKET 2015-12-16 07:32:12 -06:00
William Pitcock
c1725bda3c ssl: allow cipher list to be overridden (closes #67) 2015-12-12 07:50:48 -06:00
William Pitcock
94356462c0 ssld: use uint64_t explicitly when we want 64-bit counters 2015-12-12 04:51:43 -06:00
William Pitcock
74ff144d33 ssld: fix a type warning pointed out by clang 2015-12-12 04:50:35 -06:00
William Pitcock
6cd1aca7f1 ssld: take inbuf/outbuf out of global scope, since its unnecessary 2015-12-12 04:50:15 -06:00
William Pitcock
42dbc23943 ssld: enable sending SSL cipher information if available 2015-12-11 08:32:19 -06:00
William Pitcock
408a29c65a ssld: integrate some cleanups from ratbox 3.1 2015-12-10 23:40:24 -06:00
William Pitcock
c7708a0994 ssld: update for protocol changes 2015-12-08 14:26:26 -06:00
William Pitcock
772c95cc7a ssld: we only will continue supporting one fingerprint method at a time 2015-12-07 01:21:26 -06:00
Elizabeth Myers
e6bbb41030 Add ability to change CertFP hash.
Presently this only supports SHA1, as the machinery to actually change
the cipher is not hooked up to anything yet.
2015-12-07 01:14:02 -06:00
Jail Bird
29c92cf95f Spring cleaning redux:
- Implemented changes suggested by Jilles
- Remove some unused parameters in functions
- Remove some unused ssl procs
- 63-bit time_t support in TS deltas
- const char * vs char * cleanup
- struct alignment (void *) casts
- signed vs unsigned fixes
- bad memset() call
- Bad LT_MAIN in libratbox
- char -> unsigned char casts for isdigit/isspace/etc calls

Thanks Jilles!
2015-04-20 00:55:20 -05:00
Keith Buck
55abcbb20a Remove trailing whitespace from all .c and .h files.
3134 bytes were removed.
2014-03-03 04:25:47 +00:00
William Pitcock
85e9bf4151 ssld: force the control buffer to be unsigned bytes except in special circumstances
This has the side effect of fixing GnuTLS.
2014-02-08 18:40:35 +00:00
Nathan Phillip Brink
634d4aad72 Fix inconsistency between --sysconfdir and --with-confdir, deprecate --with-confdir.
The inconsistency was created in
c74836dc4a where genssl.sh.in was made
to use sysconfdir while the IRCd and buildsystem still used confdir.
2012-03-02 01:11:42 +00:00
Nathan Phillip Brink
c74836dc4a Add explicit support for being installed into a system triggered with --enable-fhs-paths.
Add two mechanism for avoiding name-collisions in a system-wide
installation of charybdis. The ssld and bandb daemons, intended to be
directly used by ircd and not the user, install into libexec when
--enable-fhs-paths is set. For binaries which are meant to be in PATH
(bindir), such as ircd and viconf, there is now an option
--with-program-prefix=progprefix inspired by automake. If the user
specifies --with-program-prefix=charybdis, the ircd binary is named
charybdisircd when installed.

Add support for saving the pidfile to a rundir and storing the ban
database in localstatedir instead of in sysconfdir. This is, again,
conditional on --enable-fhs-paths.

Fix(?) genssl.sh to always write created SSL key/certificate/dh
parameters to the sysconfdir specified during ./configure. The
previous behavior was to assume that the user ran genssl.sh after
ensuring that his current working directory was either sysconfdir or a
sibling directory of sysconfdir.
2012-03-01 02:41:09 +00:00
William Pitcock
a7675ed255 ssld: Request fingerprint when connecting to the server, not just on inbound connections. 2010-12-14 21:28:35 -06:00
Jilles Tjoelker
7247337afa Add certfp support to libratbox and ssld.
This lets a user connect with a client certificate, and
passes the certificate's fingerprint to ircd, which
currently just notices it to the user.

A new ssld->ircd message 'F' is used to pass on the
fingerprint.

This is only for OpenSSL for now, not GNUTLS.
2010-01-31 19:04:20 +01:00
Jilles Tjoelker
e99f612205 ssld: Fix an fd leak when closing connections.
Lightly tested.
2009-11-15 23:11:18 +01:00
Jilles Tjoelker
c03677e9be ssld: Do not crash if not all fds in a message could be received.
Actually fill the mod_ctl_buf_t.nfds field.
2009-11-15 22:41:02 +01:00
Jilles Tjoelker
07c2bb757d Fix close detection with ssl+zip, porting more code from ircd-ratbox.
This tells the SSL ssld to report connection closure to ircd
using the new fd.
2009-03-07 03:23:17 +01:00
Jilles Tjoelker
464b7606a8 ssld: Do not do redundant rb_setselect().
Apparently solaris devpoll/ports may have a problem
with this.
from ircd-ratbox (androsyn)
2009-03-03 22:32:18 +01:00
androsyn
0bd120ed48 [svn r26332] get rid of the zip ready stuff 2009-01-01 14:50:21 +03:00
Valeriy Yatsko
3202e24921 Copied libratbox and related stuff from shadowircd upstream. 2008-12-03 02:49:39 +03:00
Jilles Tjoelker
e27ac6024d ssld: un #if 0 the /dev/null stuff out 2008-08-25 18:48:30 +02:00
Valery Yatsko
7edb4f163f ssld synced with ircd-ratbox3 svn 2008-07-30 02:57:01 +04:00
Jilles Tjoelker
a444bb7837 Show reason for failed outgoing SSL handshakes to opers.
Also add a comment that ircd does not care about the
reason for failed incoming SSL handshakes.
ircd-ratbox r25651
2008-06-29 21:56:31 +02:00
Valery V Yatsko
4b6a4d479c sync ssld with ratbox3 repository: now r25594 + charybdis related changes 2008-06-26 21:21:46 +04:00
Valery V Yatsko
21192997c1 Fix compilation without zlib headers present, from the ratbox3 upstream 2008-06-26 21:19:19 +04:00
Jilles Tjoelker
794816af01 Check for the -rpath linker flag.
This makes it build on MacOS X which neither
supports nor needs this flag.
2008-05-17 17:46:37 +02:00
Valery Yatsko
73d6283cfc Importing r25217, r25219 and r25221 from ratbox3 2008-04-10 20:37:42 +04:00
Valery Yatsko
8d99443b6b ssld from ratbox3 without automake dep 2008-04-06 14:46:52 +04:00
Valery Yatsko
54ac8b60a1 Reverting some changed related not to moving on libratbox3 but using ratbox3 source! 2008-04-02 19:37:50 +04:00
Valery Yatsko
18b94b70dc replacing ssld with servlink 2008-04-02 17:00:18 +04:00