Kill support for DANE.

This patch removes support for DANE validation of TLS certificates.

There wasn't enough support in the IRC community to push for this on the
majority of bigger IRC networks. If you believe this should be
reintroduced into irssi, then please come up with an implementation that
does not rely on the libval library. It is causing a lot of troubles for
our downstream maintainers.

4 files changed, 8 insertions, 63 deletions

diff --git a/NEWS b/NEWS
index e4431839..1709fbc3 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,14 @@ v0.8.21-head 2016-xx-xx  The Irssi team <staff@irssi.org>
 	        openssl dgst -sha256 -c | \
 	        tr a-z A-Z
 
+	+ Remove support for DANE validation of TLS certificates.
+
+	  There wasn't enough support in the IRC community to push for this on the
+	  majority of bigger IRC networks. If you believe this should be
+	  reintroduced into irssi, then please come up with an implementation that
+	  does not rely on the libval library. It is causing a lot of troubles for
+	  our downstream maintainers.
+
 	- IP addresses are no longer stored when resolve_reverse_lookup is
 	  used.
 	- /names and $[...] now uses utf8 string operations (#40, #411).
diff --git a/configure.ac b/configure.ac
index 629dd590..32a3ebfd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -135,15 +135,6 @@ AC_ARG_WITH(perl,
 	fi,
 	want_perl=static)
 
-AC_ARG_ENABLE(dane,
-[  --enable-dane           Enable DANE support],
-	if test x$enableval = xno ; then
-		want_dane=no
-	else
-		want_dane=yes
-	fi,
-	want_dane=no)
-
 AC_ARG_ENABLE(true-color,
 [  --enable-true-color     Build with true color support in terminal],
 	if test x$enableval = xno ; then
@@ -537,17 +528,6 @@ COMMON_LIBS="$FE_COMMON_LIBS $COMMON_NOUI_LIBS"
 AC_SUBST(COMMON_NOUI_LIBS)
 AC_SUBST(COMMON_LIBS)
 
-have_dane=no
-if test "x$want_dane" = "xyes"; then
-	AC_MSG_CHECKING([for DANE])
-	AC_CHECK_LIB(val-threads, val_getdaneinfo,
-	[
-		LIBS="$LIBS -lval-threads -lsres"
-		AC_DEFINE([HAVE_DANE], [], [DANE support])
-		have_dane=yes
-	], [], [-lssl -lcrypto -lsres -lpthread])
-fi
-
 if test "x$want_truecolor" = "xyes"; then
 	AC_DEFINE([TERM_TRUECOLOR], [], [true color support in terminal])
 else
@@ -667,7 +647,6 @@ echo "Install prefix ................... : $prefix"
 echo
 
 echo "Building with 64bit DCC support .. : $offt_64bit"
-echo "Building with DANE support ....... : $have_dane"
 echo "Building with true color support.. : $want_truecolor"
 
 echo
diff --git a/docs/signals.txt b/docs/signals.txt
index 47db3575..7776dad7 100644
--- a/docs/signals.txt
+++ b/docs/signals.txt
@@ -56,9 +56,6 @@ modules.c:
  "module error", int error, char *text, char *rootmodule, char *submodule
 
 network-openssl.c:
- "tlsa available", SERVER_REC
- "tlsa verification success", SERVER_REC
- "tlsa verification failed", SERVER_REC
  "tls handshake finished", SERVER_REC, TLS_REC
 
 nicklist.c:
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 4c6b75dd..e28c8c14 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -32,11 +32,6 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-#ifdef HAVE_DANE
-#include <validator/validator.h>
-#include <validator/val_dane.h>
-#endif
-
 /* ssl i/o channel object */
 typedef struct
 {
@@ -207,40 +202,6 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
 {
 	long result;
 
-#ifdef HAVE_DANE
-	int dane_ret;
-	struct val_daneparams daneparams;
-	struct val_danestatus *danestatus = NULL;
-
-	// Check if a TLSA record is available.
-	daneparams.port = port;
-	daneparams.proto = DANE_PARAM_PROTO_TCP;
-
-	dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
-
-	if (dane_ret == VAL_DANE_NOERROR) {
-		signal_emit("tlsa available", 1, server);
-	}
-
-	if (danestatus != NULL) {
-		int do_certificate_check = 1;
-
-		if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
-			g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
-			signal_emit("tlsa verification failed", 1, server);
-			val_free_dane(danestatus);
-			return FALSE;
-		}
-
-		signal_emit("tlsa verification success", 1, server);
-		val_free_dane(danestatus);
-
-		if (do_certificate_check == 0) {
-			return TRUE;
-		}
-	}
-#endif
-
 	result = SSL_get_verify_result(ssl);
 	if (result != X509_V_OK) {
 		g_warning("Could not verify TLS servers certificate: %s", X509_verify_cert_error_string(result));