aniani/irssi
1
0
Fork 0
mirror of https://github.com/irssi/irssi.git synced 2024-06-09 06:20:45 +00:00
Code

verify tls connection

Browse Source
This commit is contained in:
Ailin Nemui 2021-04-07 22:18:05 +02:00
parent 2a0f1d7636
commit 244a8c72b4
8 changed files with 123 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
irssi.conf
View File

@ -1,10 +1,10 @@
servers = (
{ address = "irc.dal.net"; chatnet = "DALnet"; port = "6667"; },
{ address = "ssl.efnet.org"; chatnet = "EFNet"; port = "9999"; use_tls = "yes"; },
{ address = "ssl.efnet.org"; chatnet = "EFNet"; port = "9999"; use_tls = "yes"; tls_verify = "no"; },
{ address = "irc.esper.net"; chatnet = "EsperNet"; port = "6697"; use_tls = "yes"; tls_verify = "yes"; },
{ address = "chat.freenode.net"; chatnet = "Freenode"; port = "6697"; use_tls = "yes"; tls_verify = "yes"; },
{ address = "irc.gamesurge.net"; chatnet = "GameSurge"; port = "6667"; },
{ address = "eu.irc6.net"; chatnet = "IRCnet"; port = "6667"; use_tls = "yes"; },
{ address = "ssl.ircnet.ovh"; chatnet = "IRCnet"; port = "6697"; use_tls = "yes"; tls_verify = "yes"; },
{ address = "open.ircnet.net"; chatnet = "IRCnet"; port = "6667"; },
{ address = "irc.ircsource.net"; chatnet = "IRCSource"; port = "6667"; },
{ address = "irc.netfuze.net"; chatnet = "NetFuze"; port = "6667"; },

47
src/core/chat-commands.c
View File

@ -40,7 +40,7 @@ static SERVER_CONNECT_REC *get_server_connect(const char *data, int *plus_addr,
CHAT_PROTOCOL_REC *proto;
SERVER_CONNECT_REC *conn;
GHashTable *optlist;
char *addr, *portstr, *password, *nick, *chatnet, *host, *tmp;
char *addr, *portstr, *password, *nick, *chatnet, *host;
void *free_arg;
g_return_val_if_fail(data != NULL, NULL);
@ -94,50 +94,7 @@ static SERVER_CONNECT_REC *get_server_connect(const char *data, int *plus_addr,
if (strchr(addr, '/') != NULL)
conn->unix_socket = TRUE;
if (g_hash_table_lookup(optlist, "6") != NULL)
conn->family = AF_INET6;
else if (g_hash_table_lookup(optlist, "4") != NULL)
conn->family = AF_INET;
if (g_hash_table_lookup(optlist, "notls") != NULL)
conn->use_tls = FALSE;
if (g_hash_table_lookup(optlist, "tls") != NULL || g_hash_table_lookup(optlist, "ssl") != NULL)
conn->use_tls = TRUE;
if ((tmp = g_hash_table_lookup(optlist, "tls_cert")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_cert")) != NULL)
conn->tls_cert = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pkey")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_pkey")) != NULL)
conn->tls_pkey = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pass")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_pass")) != NULL)
conn->tls_pass = g_strdup(tmp);
if (g_hash_table_lookup(optlist, "notls_verify") != NULL)
conn->tls_verify = FALSE;
if (g_hash_table_lookup(optlist, "tls_verify") != NULL || g_hash_table_lookup(optlist, "ssl_verify") != NULL)
conn->tls_verify = TRUE;
if ((tmp = g_hash_table_lookup(optlist, "tls_cafile")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_cafile")) != NULL)
conn->tls_cafile = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_capath")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_capath")) != NULL)
conn->tls_capath = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_ciphers")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_ciphers")) != NULL)
conn->tls_ciphers = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pinned_cert")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_pinned_cert")) != NULL)
conn->tls_pinned_cert = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pinned_pubkey")) != NULL || (tmp = g_hash_table_lookup(optlist, "ssl_pinned_pubkey")) != NULL)
conn->tls_pinned_pubkey = g_strdup(tmp);
if ((conn->tls_capath != NULL && conn->tls_capath[0] != '\0')
|| (conn->tls_cafile != NULL && conn->tls_cafile[0] != '\0'))
conn->tls_verify = TRUE;
if ((conn->tls_cert != NULL && conn->tls_cert[0] != '\0') || conn->tls_verify)
conn->use_tls = TRUE;
if (g_hash_table_lookup(optlist, "!") != NULL)
conn->no_autojoin_channels = TRUE;
if (g_hash_table_lookup(optlist, "noautosendcmd") != NULL)
conn->no_autosendcmd = TRUE;
if (g_hash_table_lookup(optlist, "noproxy") != NULL)
g_free_and_null(conn->proxy);
/* TLS options are handled in server_create_conn_opt ... -> server_setup_fill_optlist */
*rawlog_file = g_strdup(g_hash_table_lookup(optlist, "rawlog"));

74
src/core/servers-setup.c
View File

@ -180,6 +180,68 @@ static void server_setup_fill(SERVER_CONNECT_REC *conn, const char *address, int
signal_emit("server setup fill connect", 2, conn, optlist);
}
static void server_setup_fill_optlist(SERVER_CONNECT_REC *conn, GHashTable *optlist)
{
char *tmp;
if (g_hash_table_lookup(optlist, "6") != NULL)
conn->family = AF_INET6;
else if (g_hash_table_lookup(optlist, "4") != NULL)
conn->family = AF_INET;
/* ad-hoc TLS settings from command optlist */
if ((tmp = g_hash_table_lookup(optlist, "tls_cert")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_cert")) != NULL)
conn->tls_cert = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pkey")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_pkey")) != NULL)
conn->tls_pkey = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pass")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_pass")) != NULL)
conn->tls_pass = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_cafile")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_cafile")) != NULL)
conn->tls_cafile = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_capath")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_capath")) != NULL)
conn->tls_capath = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_ciphers")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_ciphers")) != NULL)
conn->tls_ciphers = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pinned_cert")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_pinned_cert")) != NULL)
conn->tls_pinned_cert = g_strdup(tmp);
if ((tmp = g_hash_table_lookup(optlist, "tls_pinned_pubkey")) != NULL ||
(tmp = g_hash_table_lookup(optlist, "ssl_pinned_pubkey")) != NULL)
conn->tls_pinned_pubkey = g_strdup(tmp);
if ((conn->tls_capath != NULL && conn->tls_capath[0] != '\0') ||
(conn->tls_cafile != NULL && conn->tls_cafile[0] != '\0'))
conn->tls_verify = TRUE;
if (g_hash_table_lookup(optlist, "notls_verify") != NULL)
conn->tls_verify = FALSE;
if (g_hash_table_lookup(optlist, "tls_verify") != NULL ||
g_hash_table_lookup(optlist, "ssl_verify") != NULL)
conn->tls_verify = TRUE;
if ((conn->tls_cert != NULL && conn->tls_cert[0] != '\0') || conn->tls_verify)
conn->use_tls = TRUE;
if (g_hash_table_lookup(optlist, "notls") != NULL)
conn->use_tls = FALSE;
if (g_hash_table_lookup(optlist, "tls") != NULL ||
g_hash_table_lookup(optlist, "ssl") != NULL)
conn->use_tls = TRUE;
if (g_hash_table_lookup(optlist, "!") != NULL)
conn->no_autojoin_channels = TRUE;
if (g_hash_table_lookup(optlist, "noautosendcmd") != NULL)
conn->no_autosendcmd = TRUE;
if (g_hash_table_lookup(optlist, "noproxy") != NULL)
g_free_and_null(conn->proxy);
signal_emit("server setup fill optlist", 2, conn, optlist);
}
static void server_setup_fill_server(SERVER_CONNECT_REC *conn,
SERVER_SETUP_REC *sserver)
{
@ -262,6 +324,10 @@ static SERVER_CONNECT_REC *create_addr_conn(int chat_type, const char *address,
if (sserver != NULL)
server_setup_fill_server(conn, sserver);
/* fill the optlist overrides */
if (g_hash_table_size(optlist))
server_setup_fill_optlist(conn, optlist);
/* nick / password given in command line overrides all settings */
if (password && *password) {
g_free_not_null(conn->password);
@ -418,7 +484,8 @@ static SERVER_SETUP_REC *server_setup_read(CONFIG_NODE *node)
rec->password = g_strdup(config_node_get_str(node, "password", NULL));
rec->use_tls = config_node_get_bool(node, "use_tls", FALSE) || config_node_get_bool(node, "use_ssl", FALSE);
rec->tls_verify = config_node_get_bool(node, "tls_verify", FALSE) || config_node_get_bool(node, "ssl_verify", FALSE);
rec->tls_verify = config_node_get_bool(node, "tls_verify", TRUE) ||
config_node_get_bool(node, "ssl_verify", FALSE);
value = config_node_get_str(node, "tls_cert", NULL);
if (value == NULL)
@ -460,11 +527,6 @@ static SERVER_SETUP_REC *server_setup_read(CONFIG_NODE *node)
value = config_node_get_str(node, "ssl_pinned_pubkey", NULL);
rec->tls_pinned_pubkey = g_strdup(value);
if (rec->tls_cafile || rec->tls_capath)
rec->tls_verify = TRUE;
if (rec->tls_cert != NULL || rec->tls_verify)
rec->use_tls = TRUE;
rec->port = port;
rec->autoconnect = config_node_get_bool(node, "autoconnect", FALSE);
rec->no_proxy = config_node_get_bool(node, "no_proxy", FALSE);

39
src/fe-common/core/fe-server.c
View File

@ -101,6 +101,7 @@ static SERVER_SETUP_REC *create_server_setup(GHashTable *optlist)
server = rec->create_server_setup();
server->chat_type = rec->id;
server->tls_verify = TRUE;
return server;
}
@ -110,6 +111,7 @@ static void cmd_server_add_modify(const char *data, gboolean add)
SERVER_SETUP_REC *rec;
char *addr, *portstr, *password, *value, *chatnet;
void *free_arg;
gboolean newrec;
int port;
if (!cmd_get_params(data, &free_arg, 3 | PARAM_FLAG_OPTIONS,
@ -135,6 +137,7 @@ static void cmd_server_add_modify(const char *data, gboolean add)
rec = server_setup_find(addr, port, chatnet);
if (rec == NULL) {
newrec = TRUE;
if (add == FALSE) {
printformat(NULL, NULL, MSGLEVEL_CLIENTNOTICE,
TXT_SETUPSERVER_NOT_FOUND, addr, port);
@ -150,6 +153,7 @@ static void cmd_server_add_modify(const char *data, gboolean add)
rec->address = g_strdup(addr);
rec->port = port;
} else {
newrec = FALSE;
if (*portstr != '\0' || g_hash_table_lookup(optlist, "port"))
rec->port = port;
@ -165,16 +169,17 @@ static void cmd_server_add_modify(const char *data, gboolean add)
else if (g_hash_table_lookup(optlist, "4"))
rec->family = AF_INET;
if (g_hash_table_lookup(optlist, "tls") || g_hash_table_lookup(optlist, "ssl"))
rec->use_tls = TRUE;
else if (g_hash_table_lookup(optlist, "notls") || g_hash_table_lookup(optlist, "nossl"))
rec->use_tls = FALSE;
value = g_hash_table_lookup(optlist, "tls_cert");
if (value == NULL)
value = g_hash_table_lookup(optlist, "ssl_cert");
if (value != NULL && *value != '\0')
if (value != NULL && *value != '\0') {
rec->tls_cert = g_strdup(value);
if (newrec) {
/* convenience and backward compatibility, turn on tls if tls_cert is given
*/
rec->use_tls = TRUE;
}
}
value = g_hash_table_lookup(optlist, "tls_pkey");
if (value == NULL)
@ -188,11 +193,6 @@ static void cmd_server_add_modify(const char *data, gboolean add)
if (value != NULL && *value != '\0')
rec->tls_pass = g_strdup(value);
if (g_hash_table_lookup(optlist, "tls_verify") || g_hash_table_lookup(optlist, "ssl_verify"))
rec->tls_verify = TRUE;
else if (g_hash_table_lookup(optlist, "notls_verify") || g_hash_table_lookup(optlist, "nossl_verify"))
rec->tls_verify = FALSE;
value = g_hash_table_lookup(optlist, "tls_cafile");
if (value == NULL)
value = g_hash_table_lookup(optlist, "ssl_cafile");
@ -227,8 +227,23 @@ static void cmd_server_add_modify(const char *data, gboolean add)
|| (rec->tls_capath != NULL && rec->tls_capath[0] != '\0'))
rec->tls_verify = TRUE;
if ((rec->tls_cert != NULL && rec->tls_cert[0] != '\0') || rec->tls_verify == TRUE)
if (g_hash_table_lookup(optlist, "tls_verify") ||
g_hash_table_lookup(optlist, "ssl_verify")) {
rec->tls_verify = TRUE;
if (newrec) {
/* convenience and backward compatibility, turn on tls if tls_verify is
* given */
rec->use_tls = TRUE;
}
} else if (g_hash_table_lookup(optlist, "notls_verify") ||
g_hash_table_lookup(optlist, "nossl_verify")) {
rec->tls_verify = FALSE;
}
if (g_hash_table_lookup(optlist, "tls") || g_hash_table_lookup(optlist, "ssl"))
rec->use_tls = TRUE;
else if (g_hash_table_lookup(optlist, "notls") || g_hash_table_lookup(optlist, "nossl"))
rec->use_tls = FALSE;
if (g_hash_table_lookup(optlist, "auto")) rec->autoconnect = TRUE;
if (g_hash_table_lookup(optlist, "noauto")) rec->autoconnect = FALSE;

8
src/fe-common/irc/fe-irc-server.c
View File

@ -91,8 +91,10 @@ static void sig_server_add_fill(IRC_SERVER_SETUP_REC *rec,
rec->starttls = -1;
if (g_hash_table_lookup(optlist, "disallow_starttls"))
rec->starttls = 0;
if (g_hash_table_lookup(optlist, "starttls"))
if (g_hash_table_lookup(optlist, "starttls")) {
rec->starttls = 1;
rec->use_tls = 0;
}
}
/* SYNTAX: SERVER LIST */
@ -129,8 +131,8 @@ static void cmd_server_list(const char *data)
if (rec->tls_pass)
g_string_append_printf(str, "(pass), ");
}
if (rec->tls_verify)
g_string_append(str, "tls_verify, ");
if (!rec->tls_verify)
g_string_append(str, "notls_verify, ");
if (rec->tls_cafile)
g_string_append_printf(str, "tls_cafile: %s, ", rec->tls_cafile);
if (rec->tls_capath)

17
src/irc/core/irc-servers-setup.c
View File

@ -64,11 +64,19 @@ static void sig_server_setup_fill_connect(IRC_SERVER_CONNECT_REC *conn, GHashTab
value = settings_get_str("usermode");
conn->usermode = (value != NULL && *value != '\0') ?
g_strdup(value) : NULL;
}
if (g_hash_table_lookup(optlist, "starttls") != NULL)
static void sig_server_setup_fill_optlist(IRC_SERVER_CONNECT_REC *conn, GHashTable *optlist)
{
if (!IS_IRC_SERVER_CONNECT(conn))
return;
if (g_hash_table_lookup(optlist, "starttls") != NULL) {
conn->starttls = 1;
else if (g_hash_table_lookup(optlist, "disallow_starttls") != NULL)
conn->use_tls = 0;
} else if (g_hash_table_lookup(optlist, "disallow_starttls") != NULL) {
conn->disallow_starttls = 1;
}
}
static void sig_server_setup_fill_chatnet(IRC_SERVER_CONNECT_REC *conn,
@ -184,6 +192,9 @@ static void sig_server_setup_read(IRC_SERVER_SETUP_REC *rec, CONFIG_NODE *node)
rec->cmd_queue_speed = config_node_get_int(node, "cmd_queue_speed", 0);
rec->max_query_chans = config_node_get_int(node, "max_query_chans", 0);
rec->starttls = config_node_get_bool(node, "starttls", -1);
if (rec->starttls == 1) {
rec->use_tls = 0;
}
}
static void sig_server_setup_saved(IRC_SERVER_SETUP_REC *rec,
@ -213,6 +224,7 @@ void irc_servers_setup_init(void)
signal_add("server setup fill reconn", (SIGNAL_FUNC) sig_server_setup_fill_reconn);
signal_add("server setup fill connect", (SIGNAL_FUNC) sig_server_setup_fill_connect);
signal_add("server setup fill chatnet", (SIGNAL_FUNC) sig_server_setup_fill_chatnet);
signal_add("server setup fill optlist", (SIGNAL_FUNC) sig_server_setup_fill_optlist);
signal_add("server setup read", (SIGNAL_FUNC) sig_server_setup_read);
signal_add("server setup saved", (SIGNAL_FUNC) sig_server_setup_saved);
}
@ -222,6 +234,7 @@ void irc_servers_setup_deinit(void)
signal_remove("server setup fill reconn", (SIGNAL_FUNC) sig_server_setup_fill_reconn);
signal_remove("server setup fill connect", (SIGNAL_FUNC) sig_server_setup_fill_connect);
signal_remove("server setup fill chatnet", (SIGNAL_FUNC) sig_server_setup_fill_chatnet);
signal_remove("server setup fill optlist", (SIGNAL_FUNC) sig_server_setup_fill_optlist);
signal_remove("server setup read", (SIGNAL_FUNC) sig_server_setup_read);
signal_remove("server setup saved", (SIGNAL_FUNC) sig_server_setup_saved);
}

1
src/irc/core/irc-servers.c
View File

@ -470,6 +470,7 @@ void irc_server_connect(SERVER_REC *server)
g_return_if_fail(server != NULL);
if (server->connrec->connect_handle != NULL) {
/* an existing handle from upgrade */
IRC_SERVER_CONNECT_REC *conn;
int tls_disconnect;

4
src/irc/core/irc-session.c
View File

@ -128,8 +128,10 @@ static void sig_session_restore_server(IRC_SERVER_REC *server,
starttls_mode = config_node_get_int(node, "starttls", -1);
if (starttls_mode == 0)
server->connrec->disallow_starttls = 1;
if (starttls_mode == 1)
if (starttls_mode == 1) {
server->connrec->starttls = 1;
server->connrec->use_tls = 0;
}
if (server->isupport == NULL) {
server->isupport =