diff options
| author | defanor <defanor@uberspace.net> | 2020-11-12 14:23:30 +0300 |
|---|---|---|
| committer | defanor <defanor@uberspace.net> | 2020-11-12 14:23:30 +0300 |
| commit | 257999ac7a08789cc421983493e43ecf5e169bab (patch) | |
| tree | 5508c95777e2da46d100b21e3ccd9ef3ca8beb9a | |
| parent | 6eabee8c7612a58695e791cb1281aae1a6c5c215 (diff) | |
Check server certificates using DANE (TLSA)
Currently it is just experimental and does not affect the
verification (except for adding a delay); perhaps the verification
should be made configurable, including an option to rely on DANE.
| -rw-r--r-- | README | 3 | ||||
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | src/Makefile.am | 4 | ||||
| -rw-r--r-- | src/rexmpp.c | 24 |
4 files changed, 32 insertions, 3 deletions
@@ -14,7 +14,7 @@ rely on any particular UI, should be flexible and not stay in the way of implementing additional XEPs on top of it, and should try to make it easy to implement a decent client application using it. -Current dependencies: c-ares, libxml2, gnutls, gsasl. +Current dependencies: c-ares, libxml2, gnutls, gnutls-dane, gsasl. A rough roadmap: @@ -39,6 +39,7 @@ A rough roadmap: [+] XEP-0368: SRV records for XMPP over TLS. [+] SOCKS5 (RFC 1928) support. Implemented, though can be improved. [+] XEP-0199: XMPP Ping. +[.] Certificate verification using DANE (experimental). - Library refinement: diff --git a/configure.ac b/configure.ac index 942c7a3..589fd4e 100644 --- a/configure.ac +++ b/configure.ac @@ -24,6 +24,10 @@ PKG_CHECK_MODULES([GNUTLS], [gnutls]) AC_SUBST(GNUTLS_CFLAGS) AC_SUBST(GNUTLS_LIBS) +PKG_CHECK_MODULES([LIBDANE], [gnutls-dane]) +AC_SUBST([LIBDANE_CFLAGS]) +AC_SUBST([LIBDANE_LIBS]) + PKG_CHECK_MODULES([GSASL], [libgsasl]) AC_SUBST(GSASL_CFLAGS) AC_SUBST(GSASL_LIBS) diff --git a/src/Makefile.am b/src/Makefile.am index 741add0..182c79f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -13,5 +13,5 @@ librexmpp_la_SOURCES = rexmpp_roster.h rexmpp_roster.c \ rexmpp_socks.h rexmpp_socks.c \ rexmpp.h rexmpp.c include_HEADERS = rexmpp_roster.h rexmpp_tcp.h rexmpp_socks.h rexmpp.h -librexmpp_la_CFLAGS = $(AM_CFLAGS) $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(GSASL_CFLAGS) $(CARES_CFLAGS) -librexmpp_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) $(GSASL_LIBS) $(CARES_LIBS) +librexmpp_la_CFLAGS = $(AM_CFLAGS) $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(LIBDANE_CFLAGS) $(GSASL_CFLAGS) $(CARES_CFLAGS) +librexmpp_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) $(LIBDANE_LIBS) $(GSASL_LIBS) $(CARES_LIBS) diff --git a/src/rexmpp.c b/src/rexmpp.c index 267f91f..104d2b1 100644 --- a/src/rexmpp.c +++ b/src/rexmpp.c @@ -18,6 +18,7 @@ #include <gnutls/gnutls.h> #include <gnutls/crypto.h> #include <gnutls/x509.h> +#include <gnutls/dane.h> #include <gsasl.h> #include "rexmpp.h" @@ -1001,6 +1002,29 @@ rexmpp_err_t rexmpp_tls_handshake (rexmpp_t *s) { return REXMPP_E_AGAIN; } else if (ret == 0) { int status; + /* Check DANE TLSA records; experimental and purely informative + now, but may be nice to (optionally) rely on it in the + future. */ + ret = dane_verify_session_crt(NULL, s->gnutls_session, s->server_host, + "tcp", s->server_port, 0, 0, &status); + if (ret) { + rexmpp_log(s, LOG_WARNING, "DANE verification error: %s", + dane_strerror(ret)); + } else if (status) { + if (status & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) { + rexmpp_log(s, LOG_WARNING, "The CA constraints were violated"); + } + if (status & DANE_VERIFY_CERT_DIFFERS) { + rexmpp_log(s, LOG_WARNING, "The certificate obtained via DNS differs"); + } + if (status & DANE_VERIFY_UNKNOWN_DANE_INFO) { + rexmpp_log(s, LOG_WARNING, + "No known DANE data was found in the DNS record"); + } + } else { + rexmpp_log(s, LOG_INFO, + "DANE verification did not reject the certificate"); + } ret = gnutls_certificate_verify_peers3(s->gnutls_session, jid_bare_to_host(s->initial_jid), &status); |