This backports the code responsible for SPKI digests from release/4.
It also adjusts doc/reference.conf to note that SPKI digests are now
supported, and how to generate them. It does NOT backport the mkfingerprint
program -- the instructions in reference.conf are sufficient. I am ofcourse
open to anyone else backporting the program, but I don't see the need.
Nothing in the Charybdis or libratbox code calls rb_get_pseudo_random
and under OpenSSL it uses RAND_pseudo_bytes() which is both dangerous
and removed in OpenSSL version 1.1.0.
- Implemented changes suggested by Jilles
- Remove some unused parameters in functions
- Remove some unused ssl procs
- 63-bit time_t support in TS deltas
- const char * vs char * cleanup
- struct alignment (void *) casts
- signed vs unsigned fixes
- bad memset() call
- Bad LT_MAIN in libratbox
- char -> unsigned char casts for isdigit/isspace/etc calls
Thanks Jilles!
This allows for some further hardening against synflooding and connection flooding
where no data is actually sent, as the kernel will simply ignore those connections
(well, as far as the ircd is concerned anyway).
This lets a user connect with a client certificate, and
passes the certificate's fingerprint to ircd, which
currently just notices it to the user.
A new ssld->ircd message 'F' is used to pass on the
fingerprint.
This is only for OpenSSL for now, not GNUTLS.
In rare cases, this sharing caused the ircd to skip
part of outgoing traffic, e.g. appearing as "not enough
parameters" errors on the other side.
The purpose of this flag can be fulfilled by the writeofs
in the bufhead.
libratbox r25227
Use RB_SOCKADDR_HAS_SA_LEN instead of SOCKADDR_IN_HAS_LEN
which is only defined inside libratbox.
This fixes creating own sockaddr structs in other programs
using SET_SS_LEN, then passing them to libratbox, on
4.4BSD based systems.