aniani/irssi
1
0
Fork 0
mirror of https://github.com/irssi/irssi.git synced 2024-12-04 14:46:39 -05:00
Code

Add TLSA related signals

Browse Source 
This patch adds 3 new signals:

  * tlsa avalable: emitted if TLSA is available for a given domain.
  * tlsa verification success: emitted if the TLSA check was successful.
  * tlsa verification failed: emitted if the TLSA check was unsuccessful.

git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5220 dbcabf3a-b0e7-0310-adc4-f8d773084564
This commit is contained in:
Alexander Færøy 2013-06-23 23:50:32 +00:00 committed by ahf
parent cb873d5b91
commit 4d36a9e498
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/signals.txt
View File

@ -55,6 +55,11 @@ modules.c:
"module unloaded", MODULE_REC, MODULE_FILE_REC
"module error", int error, char *text, char *rootmodule, char *submodule
network-openssl.c:
"tlsa available", SERVER_REC
"tlsa verification success", SERVER_REC
"tlsa verification failed", SERVER_REC
nicklist.c:
"nicklist new", CHANNEL_REC, NICK_REC
"nicklist remove", CHANNEL_REC, NICK_REC

14
src/core/network-openssl.c
View File

@ -203,7 +203,7 @@ static gboolean irssi_ssl_verify_hostname(X509 *cert, const char *hostname)
return matched;
}
static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert)
static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert, SERVER_REC *server)
{
long result;
#ifdef HAVE_DANE
@ -218,23 +218,21 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
if (dane_ret == VAL_DANE_NOERROR) {
g_warning("DANE: TLSA record for hostname %s exists", hostname);
} else if (dane_ret != VAL_DANE_IGNORE_TLSA) {
g_warning("DANE: TLSA record for hostname %s could not be verified", hostname);
signal_emit("tlsa available", 1, server);
}
if (danestatus != NULL) {
int do_certificate_check = 1;
if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
g_warning("DANE: Failed to verify hostname %s", hostname);
g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
signal_emit("tlsa verification failed", 1, server);
return FALSE;
}
g_warning("DANE: SSL certificate verified using DANE");
signal_emit("tlsa verification success", 1, server);
if (do_certificate_check == 0) {
g_warning("DANE: Skipping additional checks");
return TRUE;
}
}
@ -580,7 +578,7 @@ int irssi_ssl_handshake(GIOChannel *handle)
g_warning("SSL server supplied no certificate");
return -1;
}
ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert);
ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert, chan->server);
X509_free(cert);
return ret ? 0 : -1;
}