From 4d36a9e49894c624f1392986417694fc57295d4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20F=C3=A6r=C3=B8y?= <ahf@irssi.org>
Date: Sun, 23 Jun 2013 23:50:32 +0000
Subject: [PATCH] Add TLSA related signals

This patch adds 3 new signals:

  * tlsa avalable: emitted if TLSA is available for a given domain.
  * tlsa verification success: emitted if the TLSA check was successful.
  * tlsa verification failed: emitted if the TLSA check was unsuccessful.

git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
---
 docs/signals.txt           |  5 +++++
 src/core/network-openssl.c | 14 ++++++--------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/docs/signals.txt b/docs/signals.txt
index 3a7bb650..fd9ccc11 100644
--- a/docs/signals.txt
+++ b/docs/signals.txt
@@ -55,6 +55,11 @@ modules.c:
  "module unloaded", MODULE_REC, MODULE_FILE_REC
  "module error", int error, char *text, char *rootmodule, char *submodule
 
+network-openssl.c:
+ "tlsa available", SERVER_REC
+ "tlsa verification success", SERVER_REC
+ "tlsa verification failed", SERVER_REC
+
 nicklist.c:
  "nicklist new", CHANNEL_REC, NICK_REC
  "nicklist remove", CHANNEL_REC, NICK_REC
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 35687473..89b6a0e9 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -203,7 +203,7 @@ static gboolean irssi_ssl_verify_hostname(X509 *cert, const char *hostname)
 	return matched;
 }
 
-static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert)
+static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert, SERVER_REC *server)
 {
 	long result;
 #ifdef HAVE_DANE
@@ -218,23 +218,21 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
 	dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
 
 	if (dane_ret == VAL_DANE_NOERROR) {
-		g_warning("DANE: TLSA record for hostname %s exists", hostname);
-	} else if (dane_ret != VAL_DANE_IGNORE_TLSA) {
-		g_warning("DANE: TLSA record for hostname %s could not be verified", hostname);
+		signal_emit("tlsa available", 1, server);
 	}
 
 	if (danestatus != NULL) {
 		int do_certificate_check = 1;
 
 		if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
-			g_warning("DANE: Failed to verify hostname %s", hostname);
+			g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
+			signal_emit("tlsa verification failed", 1, server);
 			return FALSE;
 		}
 
-		g_warning("DANE: SSL certificate verified using DANE");
+		signal_emit("tlsa verification success", 1, server);
 
 		if (do_certificate_check == 0) {
-			g_warning("DANE: Skipping additional checks");
 			return TRUE;
 		}
 	}
@@ -580,7 +578,7 @@ int irssi_ssl_handshake(GIOChannel *handle)
 		g_warning("SSL server supplied no certificate");
 		return -1;
 	}
-	ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert);
+	ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert, chan->server);
 	X509_free(cert);
 	return ret ? 0 : -1;
 }