This backports the code responsible for SPKI digests from release/4.
It also adjusts doc/reference.conf to note that SPKI digests are now
supported, and how to generate them. It does NOT backport the mkfingerprint
program -- the instructions in reference.conf are sufficient. I am ofcourse
open to anyone else backporting the program, but I don't see the need.
* Properly allow no DH parameters (some backends come with defaults)
* If no private key is given, assume it's in the certificate file
* Use correct length calculation in buffer for TLS options
* Fix compiler warnings regarding uint64_t stats counters
openssl:
* Don't manually initialise libssl 1.1.0 -- it does this automatically
* SSL_library_init() should be called first otherwise
* Move SSL_CTX construction to rb_setup_ssl_server()
* Test for all required files (certificate & key) before doing anything
* Free the old CTX before constructing a new one (Fixes#186)
* Properly abort rb_setup_ssl_server() on CTX construction failures
* Support ECDHE on more than one curve on OpenSSL 1.0.2 and above
* Clean up ifdef indentation
* Fix DH parameters memory leak
mbedtls:
* Fix certificate fingerprint generation
* Fix library linking order
* Fix incorrect printf()-esque argument count
* Return digest length for fingerprints instead of 1, consistent
with the other backends
sslproc / ssld:
* Fingerprint methods have no assocated file descriptors
* Send TLS information (cipher, fingerprint) before data
* Use correct header length for fingerprint method
Authored-by: Aaron Jones <aaronmdjones@gmail.com>
Authored-by: William Pitcock <nenolod@dereferenced.org>
Authored-by: Simon Arlott <sa.me.uk>
If change_connid is called with an unknown ID, conn will be
NULL, check this with an assert and then respond by reporting
the new ID as closed instead of dereferencing a NULL pointer.
- Implemented changes suggested by Jilles
- Remove some unused parameters in functions
- Remove some unused ssl procs
- 63-bit time_t support in TS deltas
- const char * vs char * cleanup
- struct alignment (void *) casts
- signed vs unsigned fixes
- bad memset() call
- Bad LT_MAIN in libratbox
- char -> unsigned char casts for isdigit/isspace/etc calls
Thanks Jilles!
This lets a user connect with a client certificate, and
passes the certificate's fingerprint to ircd, which
currently just notices it to the user.
A new ssld->ircd message 'F' is used to pass on the
fingerprint.
This is only for OpenSSL for now, not GNUTLS.