1
0
mirror of https://github.com/irssi/irssi.git synced 2024-11-03 04:27:19 -05:00

Kill support for DANE.

This patch removes support for DANE validation of TLS certificates.

There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.
This commit is contained in:
Alexander Færøy 2016-10-21 01:17:35 +02:00
parent f533baa191
commit 5a04430998
No known key found for this signature in database
GPG Key ID: E15081D5D3C3DB53
4 changed files with 8 additions and 63 deletions

8
NEWS
View File

@ -46,6 +46,14 @@ v0.8.21-head 2016-xx-xx The Irssi team <staff@irssi.org>
openssl dgst -sha256 -c | \ openssl dgst -sha256 -c | \
tr a-z A-Z tr a-z A-Z
+ Remove support for DANE validation of TLS certificates.
There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.
- IP addresses are no longer stored when resolve_reverse_lookup is - IP addresses are no longer stored when resolve_reverse_lookup is
used. used.
- /names and $[...] now uses utf8 string operations (#40, #411). - /names and $[...] now uses utf8 string operations (#40, #411).

View File

@ -135,15 +135,6 @@ AC_ARG_WITH(perl,
fi, fi,
want_perl=static) want_perl=static)
AC_ARG_ENABLE(dane,
[ --enable-dane Enable DANE support],
if test x$enableval = xno ; then
want_dane=no
else
want_dane=yes
fi,
want_dane=no)
AC_ARG_ENABLE(true-color, AC_ARG_ENABLE(true-color,
[ --enable-true-color Build with true color support in terminal], [ --enable-true-color Build with true color support in terminal],
if test x$enableval = xno ; then if test x$enableval = xno ; then
@ -537,17 +528,6 @@ COMMON_LIBS="$FE_COMMON_LIBS $COMMON_NOUI_LIBS"
AC_SUBST(COMMON_NOUI_LIBS) AC_SUBST(COMMON_NOUI_LIBS)
AC_SUBST(COMMON_LIBS) AC_SUBST(COMMON_LIBS)
have_dane=no
if test "x$want_dane" = "xyes"; then
AC_MSG_CHECKING([for DANE])
AC_CHECK_LIB(val-threads, val_getdaneinfo,
[
LIBS="$LIBS -lval-threads -lsres"
AC_DEFINE([HAVE_DANE], [], [DANE support])
have_dane=yes
], [], [-lssl -lcrypto -lsres -lpthread])
fi
if test "x$want_truecolor" = "xyes"; then if test "x$want_truecolor" = "xyes"; then
AC_DEFINE([TERM_TRUECOLOR], [], [true color support in terminal]) AC_DEFINE([TERM_TRUECOLOR], [], [true color support in terminal])
else else
@ -667,7 +647,6 @@ echo "Install prefix ................... : $prefix"
echo echo
echo "Building with 64bit DCC support .. : $offt_64bit" echo "Building with 64bit DCC support .. : $offt_64bit"
echo "Building with DANE support ....... : $have_dane"
echo "Building with true color support.. : $want_truecolor" echo "Building with true color support.. : $want_truecolor"
echo echo

View File

@ -56,9 +56,6 @@ modules.c:
"module error", int error, char *text, char *rootmodule, char *submodule "module error", int error, char *text, char *rootmodule, char *submodule
network-openssl.c: network-openssl.c:
"tlsa available", SERVER_REC
"tlsa verification success", SERVER_REC
"tlsa verification failed", SERVER_REC
"tls handshake finished", SERVER_REC, TLS_REC "tls handshake finished", SERVER_REC, TLS_REC
nicklist.c: nicklist.c:

View File

@ -32,11 +32,6 @@
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/err.h> #include <openssl/err.h>
#ifdef HAVE_DANE
#include <validator/validator.h>
#include <validator/val_dane.h>
#endif
/* ssl i/o channel object */ /* ssl i/o channel object */
typedef struct typedef struct
{ {
@ -207,40 +202,6 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
{ {
long result; long result;
#ifdef HAVE_DANE
int dane_ret;
struct val_daneparams daneparams;
struct val_danestatus *danestatus = NULL;
// Check if a TLSA record is available.
daneparams.port = port;
daneparams.proto = DANE_PARAM_PROTO_TCP;
dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
if (dane_ret == VAL_DANE_NOERROR) {
signal_emit("tlsa available", 1, server);
}
if (danestatus != NULL) {
int do_certificate_check = 1;
if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
signal_emit("tlsa verification failed", 1, server);
val_free_dane(danestatus);
return FALSE;
}
signal_emit("tlsa verification success", 1, server);
val_free_dane(danestatus);
if (do_certificate_check == 0) {
return TRUE;
}
}
#endif
result = SSL_get_verify_result(ssl); result = SSL_get_verify_result(ssl);
if (result != X509_V_OK) { if (result != X509_V_OK) {
g_warning("Could not verify TLS servers certificate: %s", X509_verify_cert_error_string(result)); g_warning("Could not verify TLS servers certificate: %s", X509_verify_cert_error_string(result));