summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/signals.txt5
-rw-r--r--src/core/network-openssl.c14
2 files changed, 11 insertions, 8 deletions
diff --git a/docs/signals.txt b/docs/signals.txt
index 3a7bb650..fd9ccc11 100644
--- a/docs/signals.txt
+++ b/docs/signals.txt
@@ -55,6 +55,11 @@ modules.c:
"module unloaded", MODULE_REC, MODULE_FILE_REC
"module error", int error, char *text, char *rootmodule, char *submodule
+network-openssl.c:
+ "tlsa available", SERVER_REC
+ "tlsa verification success", SERVER_REC
+ "tlsa verification failed", SERVER_REC
+
nicklist.c:
"nicklist new", CHANNEL_REC, NICK_REC
"nicklist remove", CHANNEL_REC, NICK_REC
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 35687473..89b6a0e9 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -203,7 +203,7 @@ static gboolean irssi_ssl_verify_hostname(X509 *cert, const char *hostname)
return matched;
}
-static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert)
+static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, int port, X509 *cert, SERVER_REC *server)
{
long result;
#ifdef HAVE_DANE
@@ -218,23 +218,21 @@ static gboolean irssi_ssl_verify(SSL *ssl, SSL_CTX *ctx, const char* hostname, i
dane_ret = val_getdaneinfo(NULL, hostname, &daneparams, &danestatus);
if (dane_ret == VAL_DANE_NOERROR) {
- g_warning("DANE: TLSA record for hostname %s exists", hostname);
- } else if (dane_ret != VAL_DANE_IGNORE_TLSA) {
- g_warning("DANE: TLSA record for hostname %s could not be verified", hostname);
+ signal_emit("tlsa available", 1, server);
}
if (danestatus != NULL) {
int do_certificate_check = 1;
if (val_dane_check(NULL, ssl, danestatus, &do_certificate_check) != VAL_DANE_NOERROR) {
- g_warning("DANE: Failed to verify hostname %s", hostname);
+ g_warning("DANE: TLSA record for hostname %s port %d could not be verified", hostname, port);
+ signal_emit("tlsa verification failed", 1, server);
return FALSE;
}
- g_warning("DANE: SSL certificate verified using DANE");
+ signal_emit("tlsa verification success", 1, server);
if (do_certificate_check == 0) {
- g_warning("DANE: Skipping additional checks");
return TRUE;
}
}
@@ -580,7 +578,7 @@ int irssi_ssl_handshake(GIOChannel *handle)
g_warning("SSL server supplied no certificate");
return -1;
}
- ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert);
+ ret = !chan->verify || irssi_ssl_verify(chan->ssl, chan->ctx, chan->server->connrec->address, chan->port, cert, chan->server);
X509_free(cert);
return ret ? 0 : -1;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-03 21:21:45 +0000