diff options
author | defanor <defanor@uberspace.net> | 2020-11-12 14:23:30 +0300 |
---|---|---|
committer | defanor <defanor@uberspace.net> | 2020-11-12 14:23:30 +0300 |
commit | 257999ac7a08789cc421983493e43ecf5e169bab (patch) | |
tree | 5508c95777e2da46d100b21e3ccd9ef3ca8beb9a /src/rexmpp.c | |
parent | 6eabee8c7612a58695e791cb1281aae1a6c5c215 (diff) |
Check server certificates using DANE (TLSA)
Currently it is just experimental and does not affect the
verification (except for adding a delay); perhaps the verification
should be made configurable, including an option to rely on DANE.
Diffstat (limited to 'src/rexmpp.c')
-rw-r--r-- | src/rexmpp.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/rexmpp.c b/src/rexmpp.c index 267f91f..104d2b1 100644 --- a/src/rexmpp.c +++ b/src/rexmpp.c @@ -18,6 +18,7 @@ #include <gnutls/gnutls.h> #include <gnutls/crypto.h> #include <gnutls/x509.h> +#include <gnutls/dane.h> #include <gsasl.h> #include "rexmpp.h" @@ -1001,6 +1002,29 @@ rexmpp_err_t rexmpp_tls_handshake (rexmpp_t *s) { return REXMPP_E_AGAIN; } else if (ret == 0) { int status; + /* Check DANE TLSA records; experimental and purely informative + now, but may be nice to (optionally) rely on it in the + future. */ + ret = dane_verify_session_crt(NULL, s->gnutls_session, s->server_host, + "tcp", s->server_port, 0, 0, &status); + if (ret) { + rexmpp_log(s, LOG_WARNING, "DANE verification error: %s", + dane_strerror(ret)); + } else if (status) { + if (status & DANE_VERIFY_CA_CONSTRAINTS_VIOLATED) { + rexmpp_log(s, LOG_WARNING, "The CA constraints were violated"); + } + if (status & DANE_VERIFY_CERT_DIFFERS) { + rexmpp_log(s, LOG_WARNING, "The certificate obtained via DNS differs"); + } + if (status & DANE_VERIFY_UNKNOWN_DANE_INFO) { + rexmpp_log(s, LOG_WARNING, + "No known DANE data was found in the DNS record"); + } + } else { + rexmpp_log(s, LOG_INFO, + "DANE verification did not reject the certificate"); + } ret = gnutls_certificate_verify_peers3(s->gnutls_session, jid_bare_to_host(s->initial_jid), &status); |