8e9a741832
Edited by @aaronmdjones:
- Correct some data types and casts
- Minor style fixups (e.g. we put * on the variable name not the type)
- librb/src/openssl.c:
- Defer call of BIO_free(3ssl) to the end of the conditional block
to avoid having calls to it in multiple paths
- Check the return value of SSL_CTX_set0_tmp_dh_pkey(3ssl) because if
it fails then we must use EVP_PKEY_free(3ssl) to avoid a memory leak
This could fail if, for example, the user supplied DSA parameters
in the DH parameters file instead.
- ircd/newconf.c:
- Check whether OSSL_DECODER_CTX_new_for_pkey(3ssl) was able to parse
the given CHALLANGE public key as a valid RSA public key, and then
check whether OSSL_DECODER_from_bio(3ssl) actually loads it
successfully
- ircd/s_newconf.c:
- Use EVP_PKEY_free(3ssl) instead of OPENSSL_free(3ssl) on EVP_PKEY
pointers; this will avoid inadvertent memory leaks if the EVP_PKEY
structure contains any dynamically-allocated child members
- modules/m_challenge.c:
- Unconditionally use EVP(3ssl) to generate the SHA-1 digest of the
random challenge; this API has been around for a very long time and
is available in all supported versions of OpenSSL
- Add lots of error checking to all steps of the process
Tested against 1.1.1 and 3.0; both with missing and provided DH parameters
(which works as you'd expect; the server will not negotiate a DHE cipher
without them), and CHALLENGE, including missing keys or keys of the wrong
type (e.g. when you supply an EdDSA key instead of an RSA key).
This does break compatibility with OpenSSL 1.1.0 and below, which are now
all end-of-life and unsupported anyway.
Closes #357
|
||
|---|---|---|
| .github/workflows | ||
| authd | ||
| bandb | ||
| doc | ||
| extensions | ||
| help | ||
| include | ||
| ircd | ||
| librb | ||
| m4 | ||
| modules | ||
| scripts | ||
| ssld | ||
| tests | ||
| testsuite | ||
| tools | ||
| wsockd | ||
| .gitignore | ||
| .mailmap | ||
| autogen.sh | ||
| configure.ac | ||
| CREDITS | ||
| LICENSE | ||
| Makefile.am | ||
| NEWS.md | ||
| README.md | ||
| shtool | ||
solanum 
Solanum is an IRCv3 server designed to be highly scalable. It implements IRCv3.1 and some parts of IRCv3.2.
It is meant to be used with an IRCv3-capable services implementation such as Atheme or Anope.
necessary requirements
- A supported platform
- A working dynamic library system
- A working lex and yacc - flex and bison should work
platforms
Solanum is developed on Linux with glibc, but is currently portable to most POSIX-compatible operating systems. However, this portability is likely to be removed unless someone is willing to maintain it. If you'd like to be that person, please let us know on IRC.
platform specific errata
These are known issues and workarounds for various platforms.
-
macOS: you must set the
LIBTOOLIZEenvironment variable to point to glibtoolize before running autogen.sh:brew install libtool export LIBTOOLIZE="/usr/local/bin/glibtoolize" ./autogen.sh -
FreeBSD: if you are compiling with ipv6 you may experience problems with ipv4 due to the way the socket code is written. To fix this you must:
sysctl net.inet6.ip6.v6only=0 -
Solaris: you may have to set your
PATHto include/usr/gnu/binand/usr/gnu/sbinbefore/usr/binand/usr/sbin. Solaris's default tools don't seem to play nicely with the configure script. When running as a 32-bit binary, it should be started as:ulimit -n 4095 ; LD_PRELOAD_32=/usr/lib/extendedFILE.so.1 ./solanum
building
sudo apt install build-essential pkg-config libsqlite3-dev # or equivalent for your distribution
./autogen.sh
./configure --prefix=/path/to/installation
make
make check # run tests
make install
See ./configure --help for build options.
feature specific requirements
-
For SSL/TLS client and server connections, one of:
- OpenSSL 1.0.0 or newer (
--enable-openssl) - LibreSSL (
--enable-openssl) - mbedTLS (
--enable-mbedtls) - GnuTLS (
--enable-gnutls)
- OpenSSL 1.0.0 or newer (
-
For certificate-based oper CHALLENGE, OpenSSL 1.0.0 or newer. (Using CHALLENGE is not recommended for new deployments, so if you want to use a different TLS library, feel free.)
-
For ECDHE under OpenSSL, on Solaris you will need to compile your own OpenSSL on these systems, as they have removed support for ECC/ECDHE. Alternatively, consider using another library (see above).
tips
-
To report bugs in Solanum, visit us at
#solanumon Libera Chat -
Please read doc/readme.txt to get an overview of the current documentation.
-
Read the NEWS.md file for what's new in this release.
-
The files,
/etc/services,/etc/protocols, and/etc/resolv.conf, SHOULD be readable by the user running the server in order for ircd to start with the correct settings. If these files are wrong, Solanum will try to use127.0.0.1for a resolver as a last-ditch effort.
git access
-
The Solanum git repository can be checked out using the following command:
git clone https://github.com/solanum-ircd/solanum -
Solanum's git repository can be browsed over the Internet at the following address: https://github.com/solanum-ircd/solanum