1
0
mirror of https://github.com/irssi/irssi.git synced 2024-12-04 14:46:39 -05:00

Add TLSA related signals

This patch adds 3 new signals:

  * tlsa avalable: emitted if TLSA is available for a given domain.
  * tlsa verification success: emitted if the TLSA check was successful.
  * tlsa verification failed: emitted if the TLSA check was unsuccessful.

git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
This commit is contained in:
Alexander Færøy 2013-06-23 23:50:32 +00:00 committed by ahf
parent cb873d5b91
commit 4d36a9e498
2 changed files with 11 additions and 8 deletions

View File

@ -55,6 +55,11 @@ modules.c:
"module unloaded", MODULE_REC, MODULE_FILE_REC "module unloaded", MODULE_REC, MODULE_FILE_REC
"module error", int error, char *text, char *rootmodule, char *submodule "module error", int error, char *text, char *rootmodule, char *submodule
network-openssl.c:
"tlsa available", SERVER_REC
"tlsa verification success", SERVER_REC
"tlsa verification failed", SERVER_REC
nicklist.c: nicklist.c:
"nicklist new", CHANNEL_REC, NICK_REC "nicklist new", CHANNEL_REC, NICK_REC
"nicklist remove", CHANNEL_REC, NICK_REC "nicklist remove", CHANNEL_REC, NICK_REC

View File

@ -203,7 +203,7 @@ static gboolean irssi_ssl_verify_hostname(X509 *cert, const char *hostname)
return matched; return matched;
} }
static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert) static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert, SERVER_REC *server)
{ {
long result; long result;
#ifdef HAVE_DANE #ifdef HAVE_DANE
@ -218,23 +218,21 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus); dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
if (dane_ret == VAL_DANE_NOERROR) { if (dane_ret == VAL_DANE_NOERROR) {
g_warning("DANE: TLSA record for hostname %s exists", hostname); signal_emit("tlsa available", 1, server);
} else if (dane_ret != VAL_DANE_IGNORE_TLSA) {
g_warning("DANE: TLSA record for hostname %s could not be verified", hostname);
} }
if (danestatus != NULL) { if (danestatus != NULL) {
int do_certificate_check = 1; int do_certificate_check = 1;
if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) { if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
g_warning("DANE: Failed to verify hostname %s", hostname); g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
signal_emit("tlsa verification failed", 1, server);
return FALSE; return FALSE;
} }
g_warning("DANE: SSL certificate verified using DANE"); signal_emit("tlsa verification success", 1, server);
if (do_certificate_check == 0) { if (do_certificate_check == 0) {
g_warning("DANE: Skipping additional checks");
return TRUE; return TRUE;
} }
} }
@ -580,7 +578,7 @@ int irssi_ssl_handshake(GIOChannel *handle)
g_warning("SSL server supplied no certificate"); g_warning("SSL server supplied no certificate");
return -1; return -1;
} }
ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert); ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert, chan->server);
X509_free(cert); X509_free(cert);
return ret ? 0 : -1; return ret ? 0 : -1;
} }